Threat management is a framework that is often used to evaluate and manage everything you can do to detect and respond to cyberthreats. It encompasses people, process and technology, and for effective threat management, all three should work together seamlessly.

Of course, that’s easier said than done. When you look at just the technology piece of threat management, there’s obviously a lot out there. This is reflective of cybersecurity in general, where organizations are using an average of 25 to 49 disparate tools from up to 10 different providers. This has created additional complexity and led some organizations to undergo tools rationalization to better understand what they are getting out of each tool, where there may be overlap and where there may be gaps. But even after working through that type of exercise, different, fewer or more point solutions are not always the best way forward.

Challenges to Effective Threat Management

Too Much Unactionable Threat Intelligence

There is a disconnect between threat intelligence itself and what makes it actionable to an organization. Gathering threat intelligence is not a problem with numerous threat feeds available today, but the volume of threats makes it difficult for security analysts to prioritize which to focus on. A recent conversation with a security leader summed up this challenge. He said that one of his big initiatives is implementing “managed threat intelligence,” his term for a way to deliver prioritized threat intelligence to his team, rather than giving them everything available.

Finding Insights Within Decentralized, Distributed Data

As the number of security and IT tools has grown, so has the amount and location of data, according to a 2019 IBM-commissioned study conducted by Forrester Consulting. Most organizations are using on-premises solutions and multiple clouds, even if they may not realize it. Furthermore, the data itself is not uniform or predictable. Thus, if an analyst or threat hunter needs to find some type of indicator within an organization’s environment, it is very difficult and time-consuming to search across the disconnected sources. Furthermore, as each new data source is added, it only increases the integration costs and complexity. In the past, organizations have looked to centralized data lakes for the answer, but as data volumes, costs and veracity have continued to increase, particularly across multiple cloud and endpoint platforms, this approach can have limited success.

Lack of Skilled Resources to Manage the Number of Threats

It’s no secret that there’s a lack of skilled cybersecurity analysts today, and everyone is pulling from the same talent pool. Furthermore, the high levels of stress reported by security professionals, from analysts to chief information security officers (CISOs), does not help this problem. The disconnect between the number of people managing and prioritizing threats and the number of people responding to incidents can hold organizations back from getting to where they want their threat program to be.

In essence, each one of these challenges has to do with some type of disconnect: Threat intelligence without a connection to an organization, data spread across different tools and silos and a mismatch in the supply of resources required to do the work.

Shift to a Connected Approach to Threat Management

We believe there’s a need for a different approach to threat management other than continuing to add more threat feeds or additional tools without the people to use them effectively. One way to shift to a more connected approach is to focus on a one-to-many integration rather than reducing or adding individual tools. Using capabilities that maximize existing security solutions and data sources can help organizations advance their threat management initiatives in multiple ways.

Tailored Threat Intelligence for More Efficient Identification

If threat intelligence feeds are connected to information about your organization, such as industry and geography, they can be automatically prioritized based on their relevance to your business. This will cut down on the amount of intelligence that analysts need to evaluate. Furthermore, with a connection to your existing environment, you can more quickly and easily see if a relevant threat is actually active in your organization and needs more investigation or immediate response.

Consolidated Search Capabilities That Improve Visibility and Response Time

If a search capability is able to sit on top of and connect to all security tools and data sources, security operations center (SOC) analysts will not need to dig into each individual one to search for an indicator of compromise (IoC). Connection is key here, because migrating all of your data into one place introduces cost and complexity. By connecting data without having to move it, security analysts can save time, gain visibility and improve their efficiency when investigating threats.

Embedded Automation to Help Free Analysts for Higher-Value Tasks

If automation is embedded in your security capabilities, it can help free security analysts from doing manual and repetitive tasks so they can focus on higher-value responsibilities, such as proactive threat hunting. Furthermore, automation that’s connected not only to other security tools but also to broader IT tools can help improve and speed up incident response processes and orchestrate actions across the wider enterprise.

A connected approach to threat management can help organizations implement a more effective program. With IBM Cloud Pak for Security, we are connecting data and workflows to help make connected threat management easier to attain.

Watch an intro to IBM Security’s open, connected platform

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…