In today’s escalating threat landscape, Security Operations Center (SOC) teams face a constant cat-and-mouse battle against adversaries as they try to stay one step ahead. This situation isn’t helped by the fragmented tools, multiple data feeds, and data siloes they must contend with. Likewise, with so many security vendors with different approaches and solutions, how do they know what cybersecurity solutions they should invest in?
Making any security purchase is always an onerous task as SOC decision-makers analyze what questions to ask and what tools and solutions best fit their environment. However, SOC teams must equip themselves for the cyberthreat landscape they face, and many are now establishing their own threat intelligence operations and capabilities.
Sifting Through Mountains of Disparate Data
In the process of building out their threat intelligence capability, many SOC teams acquire multiple data feeds—from commercial sources, open source, the industry, and their existing security vendors—each in a different format. They soon realize they lack the manpower and technology to programmatically sift through mountains of disparate global data and use it. Without the proper resources, the data they’ve invested in becomes more noise, potentially generating many false positives.
Many organizations also fail to incorporate internal data into their threat intelligence. This is the telemetry, content, and data created by each layer in their security architecture, on-premises and in the cloud. It also includes data from modern security tools and technologies. Not only is this data high-fidelity, but it’s also free.
Numerous organizations invest in a threat intelligence platform (TIP) to use this data more productively. Selecting a TIP is important as it is the foundation for the entire security operations program. It allows teams to understand and act upon the highest-priority threats they face while enabling them to get more from their existing resources.
Not All Technology Vendor Solutions are Created Equal
But what are the essential capabilities SOC teams should look for in a TIP? It is important to note that not all technology vendor solutions are created equal. Below, we outline the core questions that SOC teams should ask vendors to make the best decisions about which TIP to implement into their SOC operation.
It is worth noting that SOC teams should view the selection process as a journey, not a simple product purchase, as the vendor they select must have the capacity to become a strategic partner. Factors to consider include platform maturity, service and support, user base, company track record, and specific use cases.
The Benefits of a TIP
If the business questions why the SOC team needs a TIP, it delivers plenty of benefits: It can reduce risk, improve defenses, and enable the organization to execute strategic and tactical enterprise goals while staying on budget.
The organization can arm its SOCs, incident response teams, and threat intelligence analysts with a platform to efficiently structure, organize, and utilize threat intelligence across the enterprise. This platform also helps security analysts improve situational understanding, accelerate detection and response, maximize existing security investments, and collaborate more effectively as a team.
Incident response teams can automate the prioritization of threats and security incidents, accelerate investigations, and automatically push intelligence to detection and response tools. Threat intelligence analysts can efficiently structure and organize threat intelligence with context and prioritization to build adversary dossiers, make better decisions, and take action.
Asking the Right Questions
With stakeholders now convinced, other business questions will be considered alongside technical questions. Some key questions SOC teams should be thinking about asking the vendor are outlined here:
- How does the platform consume structured and unstructured data and how many “out-of-the-box” commercial feeds and/or open-source feeds do you have?
- What about context and transparency? For example, are customer-defined IOC tags/context/attributes shared across the vendors’ other customers?
- What about scoring and prioritization? Can customers customize scoring based on their own organization, team, resources, and capability without broadcasting those customizations to other customers? Is the vendor scoring transparent?
- What is the vendor’s approach to the expiration of intelligence?
- What about correlating internal and external data? If bi-directional data is enabled, does your company have sole ownership rights to my company’s data within the system?
- Do you have bidirectional integration with all SIEMs, ticketing systems, vulnerability management solutions, and SOAR solutions?
- With notifications and alerts, can an analyst create an alert list within your dashboard for any object/node in the system?
- Can we opt in and opt out of sharing data with a vendor or community when it comes to sharing and collaboration?
- Does the TIP support data-driven automation natively and through API integration with SOAR platforms?
This is not an exhaustive list. Questions about pricing models, service and support, different use cases, and questions specific to each SOC team’s environment will also be asked. Hopefully, this will help put the SOC team on the right path, armed with key questions to ask and potential hidden risks, to navigate the process successfully, and to find the right platform to meet their requirements.
