A recent SANS Institute report offered good news and bad news about threat intelligence. The good news is that threat intelligence is widely used, and many organizations believe it has enhanced their ability to detect and respond to threats quickly and accurately.
The bad news is that the vast majority of organizations are unable to research or use more than 100 threat indicators each week. That means these organizations are probably wasting money on threat intelligence data they can’t interpret or don’t use due to a lack of infrastructure or manpower. They just can’t keep up with such a high volume of alerts.
It’s important to keep in mind that threat intelligence is more than just information. Threat intelligence is evidence-based knowledge about threat actors, the motivation behind an attack, the systems being targeted, the method of attack and the risk created by the threat. When this data is researched, vetted, analyzed and put into proper context, it helps organizations detect and respond to known and unknown threats more effectively.
As the SANS Institute report revealed, most organizations fail to convert threat data into actionable insight. They often use free sources to collect raw data that lacks quality control and has a short shelf life. They don’t have the in-house expertise to review the data quickly against recent activity to quickly detect and mitigate threats.
Analyzing and applying threat intelligence requires an understanding of what to investigate and what to ignore. Assumptions and imperfect data are involved. The key is to incorporate sound judgment, experience and analysis to give threat intelligence credibility and reliability. External threat intelligence needs to be compared to internal intelligence to gain maximum value.
At Ignite 2018, Microsoft announced solutions and services that leverage the company’s global security operations along with artificial intelligence (AI) to enhance the value of threat intelligence. Microsoft has a team of more than 3,500 full-time security professionals who use leading AI tools to analyze more than 6.5 trillion threat signals each day.
These resources form the basis of Microsoft Threat Protection, a new service that uses AI and human research to speed up threat investigations for overstretched security teams. Microsoft Threat Protection can help detect and remediate cyberthreats across email, PCs, identities and infrastructure into a single integrated experience in Microsoft 365.
Microsoft has also added EMS and Azure Security Center to Microsoft Secure Score. Introduced in June, Secure Score is a dynamic report card that analyzes the settings and activity within a customer’s Office 365 services and provides recommendations that can reduce the chance of a security breach. The Secure Score expansion also includes a broader set of controls from products such as Microsoft Cloud App Security to further harden defenses and help IT understand and improve their organization’s security position.
There’s no question that threat intelligence provides value to organizations. However, collecting and analyzing threat data is labor-intensive and distracts IT personnel from business-enabling initiatives. On top of that, security skills are in short supply, and organizations are struggling to keep up with cyber threats that are constantly evolving and increasing.
AI-driven automation coupled with human analysis can greatly increase the value of threat intelligence. Microsoft is leveraging its global security operations and machine learning models to give organizations new tools that help combat cyberattacks.
Written and composed by Principal, Steve Soper