How a More Connected Approach Can Help With Threat Management

March 6, 2020
| |
3 min read

Threat management is a framework that is often used to evaluate and manage everything you can do to detect and respond to cyberthreats. It encompasses people, process and technology, and for effective threat management, all three should work together seamlessly.

Of course, that’s easier said than done. When you look at just the technology piece of threat management, there’s obviously a lot out there. This is reflective of cybersecurity in general, where organizations are using an average of 25 to 49 disparate tools from up to 10 different providers. This has created additional complexity and led some organizations to undergo tools rationalization to better understand what they are getting out of each tool, where there may be overlap and where there may be gaps. But even after working through that type of exercise, different, fewer or more point solutions are not always the best way forward.

Challenges to Effective Threat Management

Too Much Unactionable Threat Intelligence

There is a disconnect between threat intelligence itself and what makes it actionable to an organization. Gathering threat intelligence is not a problem with numerous threat feeds available today, but the volume of threats makes it difficult for security analysts to prioritize which to focus on. A recent conversation with a security leader summed up this challenge. He said that one of his big initiatives is implementing “managed threat intelligence,” his term for a way to deliver prioritized threat intelligence to his team, rather than giving them everything available.

Finding Insights Within Decentralized, Distributed Data

As the number of security and IT tools has grown, so has the amount and location of data, according to a 2019 IBM-commissioned study conducted by Forrester Consulting. Most organizations are using on-premises solutions and multiple clouds, even if they may not realize it. Furthermore, the data itself is not uniform or predictable. Thus, if an analyst or threat hunter needs to find some type of indicator within an organization’s environment, it is very difficult and time-consuming to search across the disconnected sources. Furthermore, as each new data source is added, it only increases the integration costs and complexity. In the past, organizations have looked to centralized data lakes for the answer, but as data volumes, costs and veracity have continued to increase, particularly across multiple cloud and endpoint platforms, this approach can have limited success.

Lack of Skilled Resources to Manage the Number of Threats

It’s no secret that there’s a lack of skilled cybersecurity analysts today, and everyone is pulling from the same talent pool. Furthermore, the high levels of stress reported by security professionals, from analysts to chief information security officers (CISOs), does not help this problem. The disconnect between the number of people managing and prioritizing threats and the number of people responding to incidents can hold organizations back from getting to where they want their threat program to be.

In essence, each one of these challenges has to do with some type of disconnect: Threat intelligence without a connection to an organization, data spread across different tools and silos and a mismatch in the supply of resources required to do the work.

Shift to a Connected Approach to Threat Management

We believe there’s a need for a different approach to threat management other than continuing to add more threat feeds or additional tools without the people to use them effectively. One way to shift to a more connected approach is to focus on a one-to-many integration rather than reducing or adding individual tools. Using capabilities that maximize existing security solutions and data sources can help organizations advance their threat management initiatives in multiple ways.

Tailored Threat Intelligence for More Efficient Identification

If threat intelligence feeds are connected to information about your organization, such as industry and geography, they can be automatically prioritized based on their relevance to your business. This will cut down on the amount of intelligence that analysts need to evaluate. Furthermore, with a connection to your existing environment, you can more quickly and easily see if a relevant threat is actually active in your organization and needs more investigation or immediate response.

Consolidated Search Capabilities That Improve Visibility and Response Time

If a search capability is able to sit on top of and connect to all security tools and data sources, security operations center (SOC) analysts will not need to dig into each individual one to search for an indicator of compromise (IoC). Connection is key here, because migrating all of your data into one place introduces cost and complexity. By connecting data without having to move it, security analysts can save time, gain visibility and improve their efficiency when investigating threats.

Embedded Automation to Help Free Analysts for Higher-Value Tasks

If automation is embedded in your security capabilities, it can help free security analysts from doing manual and repetitive tasks so they can focus on higher-value responsibilities, such as proactive threat hunting. Furthermore, automation that’s connected not only to other security tools but also to broader IT tools can help improve and speed up incident response processes and orchestrate actions across the wider enterprise.

A connected approach to threat management can help organizations implement a more effective program. With IBM Cloud Pak for Security, we are connecting data and workflows to help make connected threat management easier to attain.

Watch an intro to IBM Security’s open, connected platform

Chris Meenan
Product Manager for QRadar, IBM Security

Chris Meenan is a Product Manager working on the QRadar Security Intelligence Product within the IBM Security division. He has over 10 years experience in pr...
read more