Actionable threat intelligence: focus on what matters

How can organisations make sense of the threat intelligence and security alerts they’re flooded with daily?

Actionable threat intelligence: focus on what matters

How can organisations make sense of the threat intelligence and security alerts they’re flooded with daily?

Natalie Walker
Natalie WalkerPortfolio Director, BT Security, Business

As organisations focus on digitalisation, cloud migration, hyperconnectivity, and hybrid working to remain competitive, they’re now processing larger volumes of data and have a greater exposed attack surface than ever before.

Couple this with the growing number of sophisticated cyber attacks, and the increasing volume of security-related events and generic threat intelligence being handled – with some platforms recording over 20 million potential indicators of attack daily.

Such a huge volume of security information would be impossible to process or prioritise, without automation overlaying cyber event data with distilled, contextual, and real-time threat intelligence. The sheer volume prevents organisations from having a clear understanding of what matters. This means attacks can go unnoticed until it’s too late.

So, how can security analysts extract actionable insights from this information to make informed, real-time decisions?

Multi-vendor oversight is essential

Despite the many products and vendors on the market, no solution currently covers all security requirements. It’s not uncommon for enterprises to now have 10 or more point products in place. This only generates more data and alerts, requiring more staff and running costs to process.

Many security vendors operate on a ‘better-safe-than-sorry’ approach, classifying large volumes of cyber events as suspicious or of potential risk, then letting the customer decide whether they matter.

Often, different vendors will classify the same threat indicators differently – leaving the added challenge of determining which source to trust. This means many of these events are misleading and an unnecessary drain on analysts’ time.

Also, many solutions from different vendors don’t work together, creating additional security blind spots. To make sense of it all, organisations need greater oversight across all of their solutions and threat feeds. This will help them to distil threat intelligence into what really matters.

It’s all about context

To start differentiating raw threat intelligence from actionable insights, you need to add context. Every day, organisations receive an overwhelming amount of threat indicators that aren’t relevant to them.

To find actionable value, it’s vital to automatically analyse and categorise threat alerts as they come in.

With added context on what poses a real threat to their operation, who adversaries are, where they’re operating from, and the tactics, techniques and procedures they regularly use, security teams can make informed decisions on what preventive actions they need to take.

Timing is everything

Unfortunately, most sophisticated cyber criminals are already one step ahead, and are often the first to embrace technological advancements. They’re constantly developing new ways to avoid detection and overwhelm defences.

To keep up, you need to cut the time it takes to process threat intelligence, detect the breach, and respond quickly and effectively. It’s no longer possible to manually react to all alerts. Real-time monitoring and automated decision-making are now critical to proactively detecting anomalies, and rapidly updating your protections against next-generation threats. That’s how you block attacks before they can even happen or cause significant damage.

Getting an Eagle-i view

Eagle-i is our transformational cyber security platform. It’s a solution designed to sit on our existing managed security services, overlaying actionable intelligence to enhance and coordinate defence efforts.

Eagle-i can:

  • Automatically process the enormous alerts gathered by multiple, typically siloed security solutions and threat feeds.
  • Enrich the alerts with actionable threat intelligence and customer-specific context.
  • Prioritise detection and response based on organisation-specific risks.
  • Rapidly assess security threat significance.
  • Predict an attacker’s next steps and recommend actions to prevent an attack or critical damage, by combining AI-powered automation with our global knowledge and presence.

 

Eagle-i is also always evolving – learning and refining its processes to improve its defences. What’s more, it’s a multi-vendor and multi-control platform. It integrates multiple security controls and technologies from our partners into a single platform, providing flexibility and customisation in selecting the best tools for your security needs.