A new article by Stan Engelbrecht, Director of D3’s Cyber Security Practice, is currently featured on SecurityWeek. The importance of threat intelligence to security operations is growing, as SOAR platforms and other tools get better and better at rapidly aggregating complex data from myriad sources. Having good contextual information about a security incident completely transforms the incident response process, making analysts smarter, faster, and more conclusive in their actions. In his new article for SecurityWeek, Stan talks about four use cases for threat intelligence that are especially relevant to incident response, and the drivers behind the current and future growth in the threat intelligence market.
In this excerpt, Stan describes how incident responders can use threat intelligence for automated threat enrichment:
Incident response and SOAR platforms can interface with threat intelligence platforms to enrich event-alerts from a variety of tools—including SIEM—with contextual data that helps eliminate false positives, and identify and convict real incidents. In automated platforms, potential threat indicators from a SIEM alert are automatically looked up in integrated threat intelligence platforms, giving analysts a full picture of the threat by the time they open the incident report.
Threat intelligence lookups can also be done as a proactive step during an investigation. Analysts can manually conduct queries about entities while evaluating an incident. For example, an IP address from a historical incident could be checked against a threat intelligence database and blacklisted if it is known to be malicious.
This article can be found in its entirety on SecurityWeek.