Threat intelligence and the role of automation in improving security

Chris O’Brien, Director Intelligence Collaboration at EclecticIQ discusses how important it is for analysts to remember that, just because we can automate the process, doesn’t mean it isn’t worth learning, as well as the role of automation on the future

Threat intelligence is an important way for organisations to better understand the threats they face and a key tool in the fight against adversaries. Despite this, the convergence of emerging global threats, new technologies and evolving tools means that hackers are now able to drive more sophisticated and successful assaults of all kinds.

It’s time for the cyber security community and those that invest in it to start looking towards threat intelligence to help select the right tools to mitigate any potential threats, implemented in the right place and at the right time.

Taking the first steps

It’s important to note that this discussion isn’t about the linear maturity of threat intelligence or where we are on the ‘hype cycle’. Instead, it needs to be a multifaceted conversation around enablement and using technology for the right purpose.

Automation is a good starting point within this discussion. As a technology, automation has been around for a while and, in this time, we have seen it being leveraged by adversaries, as well as those fighting the ‘good fight’.

In order to get ahead of the adversaries, it’s vital that organisations bring automation to the fore, specifically in threat intelligence. This could be through automating the upstream so that Security Operation Centres (SOCs) can improve how they ingest and comprehend incoming threat intelligence feeds, the automation of the process which fuses together the intelligence from various threat intelligence providers or even the automated generation of resultant outgoing feeds to give incident response teams a holistic view of what might be coming their way.

Looking at other technologies that will also benefit the security organisation, we have to look at artificial intelligence (AI). AI has the ability to take threat intelligence to a level we haven’t seen yet.

Security organisations are only just now looking at combining their threat intelligence with AI and, as a result, we are yet to realise the true power of this combination. Threat intelligence is currently not suited to identifying attacks we haven’t seen before but, when paired with AI or Machine Learning, it is feasible to identify patterns and potentially identify new threats. With attackers constantly evolving, this could be a key advantage in the fast-moving threat landscape we find ourselves in.

Benefits of a more mature process

The race to stop those with malicious intent is a marathon, not a sprint. Setting the conditions to gain the upper hand against the adversaries requires a long term investment, not only in tooling but in processes as well. For starters, we know the threat intelligence process still involves a number of manual steps which can be automated. While this automation will focus on the more static processes to start with, it will lead to the next stage of threat intelligence – helping analysts move towards the more strategic and, arguably, more enjoyable side of analysis.

It will also drive more effective and efficient detection capabilities, presenting the opportunity for analysts to start to develop more value-add investigations, based on verified information detected during the automation process. This will give the c-suite the ‘so what’ they’re so often pursuing when it comes to security expenditure.

This opens up the career path of the threat analyst too, enabling them to stop the handle turning and start the investigative work which will make a real impact on the business. Alongside this, freeing up analysts and allowing them more time to do the work they enjoy will increase staff morale and provide the kind of stimulating work that breeds excellence.

All of that said, just because we are able to automate the process, it doesn’t mean that it isn’t worth learning manually first – in fact, quite the opposite. As we move into the future of threat intelligence, analysts alike should always learn the basics of analysis before automating a process, both to help inform the design of automation as well as being able to handle their job if – or rather when – the automation breaks.

The automation of threat intelligence is an important step in the maturation of the industry and needs to be considered vital for those in the space. The attackers we defend against are becoming more sophisticated and successful and, without scalable automation, we won’t be able to keep up and protect our businesses from the ‘bad guys’. It’s time to make the change.