Level Up Security Operations With Threat Intelligence Cheat Codes

April 18, 2019
| |
4 min read

Few fields have experienced growth over the last two decades like cybersecurity and video gaming. Through the years, both industries have seen the rise and fall of incumbent players and the near-constant shift in consumer preferences. While learning how to embrace their own platform shifts, both fields have had to fundamentally reinvent themselves to adapt and survive.

Arcade-Style Silos Make Way for Plug-and-Play Solutions

For many people, their first memorable experience with video games was at an arcade. Arcade operators made heavy one-off investments for each new game that came out. For example, “Mortal Kombat 2” and its sequels did not build onto or integrate with the existing “Mortal Kombat” games. In many ways, this issue has also plagued cybersecurity, with the average organization deploying 80-plus point products from over 40 vendors.

The advent of the console flipped the gaming industry on its head. Rather than having to buy a new machine for each game, there was a single interface that ran multiple games — classic examples of which include the Super Nintendo Entertainment System (SNES) — where additional functionality was just a cartridge away. Rather than shelling out for singular monolithic solutions, consumers preferred modular platforms that enabled them to add additional games in a snap.

The consumer shift toward unified platforms is true today in security as chief information security officers (CISOs) look more for integrated solutions with the ability to add new features as their organization matures. But even as silos are broken down and security data becomes more unified, how can organizations derive actionable insights from the data to understand their adversary, reduce their investigation time and increase visibility into their environment?

What’s Video Game Design Got to Do With Threat Intelligence?

Threat intelligence is the connecting of specific threat identifiers across many cybersecurity tools and infusing the information into proactive investigation, incident response and remediation workflows. When designing a threat intelligence strategy that allows analysts to detect threats at a rapid pace and developing security operations center (SOC) leadership to make informed decisions, it’s important to consider your organization’s unique needs based on factors such as industry, geography and the nature of your most critical assets.

Similarly, depending on the type of game and its objectives, video game designers choose to focus on varying aspects when developing a game, but three are always constant:

1. The Characters and Players

The good-versus-evil dichotomy is often invoked when talking video game character development; it’s also reflected in the constant game of cat-and-mouse between organizations and threat actors. Whether it’s Mario versus Bowser or analyst versus cyber adversary, it is important to understand the motivation behind attackers to better anticipate their next steps.

Whether that’s kidnapping the princess or exfiltrating sensitive information, security leaders can make informed risk management, organizational and staffing decisions by understanding how the enemy operates. By knowing, for example, that a specific threat actor is targeting their industry, analysts can quickly identify whether they are at risk of an exploit or take proactive steps to patch and protect potentially affected systems.

To invoke Sun Tzu, knowing your enemy is knowing yourself, so having a complete view of which attackers are targeting industry peers or geographic neighbors can give you a window into the mindset of the adversary and help your organization prepare stronger defenses by understanding the vulnerabilities before they become an attack.

2. Narrative and Gameplay

One element that separates some of the best games from the rest is a strong narrative element within a collaborative, multiplayer world. Designers carefully curate decision points for the user, having them make choices that potentially alter how the game unfolds. Threat intelligence guides users in their decision-making process to help inform all levels of the SOC. Tactical threat intelligence can be integrated into the workflow to help reduce false positives, enabling the frontline analyst to quickly decide what is real and what is noise. And for tier-two and -three analysts, who proactively hunt threats and facilitate incident response, having information on the a particular actor’s tactics, techniques and procedures (TTPs) can help them better make day-to-day decisions on task prioritization, threat mitigation and resource allocation.

As the trend has been in recent years, single player modes are being phased out in favor of multiplayer online games. In these games, there is a strong need for communication and collaboration, since most are team-based and the success of the individual depends on the success of the team. Even though analysts may sometimes feel that they’re fighting the battle alone, cybersecurity is a team sport. Threat intelligence is collaborative by nature, with many feeds being driven by a combination of individuals sharing information for others in their industry and validated information from threat researchers.

Threat intelligence can be the unifier for members of the security operations center to collaborate when dealing with investigations and incident response. When teams have identified a validated threat and need to investigate or initiate a response workflow, threat intelligence solutions can integrate with incident response and case management tools to enrich playbooks with specific information about the threat. When it’s all hands on deck, teams can quickly collaborate and add additional indicators as they build the investigation and search threat intelligence for more relevant information.

3. Repeat Playability

The best games are not only fun to play once, but over and over again for years — what gamers refer to as repeat playability. Organizations typically deploy multiple threat intelligence feeds of varying quality for broad and overlapping coverage. While having more data at your teams’ fingertips is generally a good thing, increased visibility often comes at a cost. Gone are the days where security teams could get by with multiple static dumps of comma-separated values (CSVs) with indicators of compromise (IoCs). Even with four threat intelligence sources that provide 300 indicators a day, teams are receiving almost 500,000 indicators a year.

Analysts are overwhelmed, spending hours sifting through data searching for a what feels like a needle in a needle stack to find bits of actionable information. The repetitive nature and sheer volume of their workload, coupled with the cybersecurity skills gap, often leads to analyst burnout. When potential threats are automatically prioritized based on severity, it reduces investigation time and allows analysts to focus on only the most critical threats to their organization.

Up, Up, Down, Down, Left, Right, Left, Right

With actionable and relevant threat intelligence, security teams have the ability to see the previously unseen and significantly accelerate the way they work. Just like the Konami Code did for “Contra,” threat intelligence can provide organizations with security operations cheat codes to gain the competitive advantage they need to combat cybercriminals.

Register for the May 2 webinar to learn how to unlock threat intelligence easter eggs

Jeremy Goldstein
Product Marketing Manager for IBM QRadar, X-Force Exchange & App Exchange

Jeremy Goldstein is the Product Marketing Manager for IBM QRadar, X-Force Exchange & App Exchange driving the positioning, messaging and content for IBM...
read more