Harnessing Your SIEM for Cyberthreat Intelligence

In the world of cybersecurity, cyberthreat intelligence (CTI) burst on to the scene in a big way in 2015.

Everyone wants useful data and analytical tools for next-gen cybersecurity in order to detect and respond to threats faster. The industry responded by providing a plethora of CTI products. As buzz built around CTI, vendors released a variety of options for organizations.

Unfortunately, the industry became inundated with CTI solutions, with many failing to provide the actionable data organizations require. The diluted pool of vendors makes it difficult to evaluate the value of each product.

For those organizations assessing CTI solutions, SC Magazine’s Cyberthreat Intelligence e-book, discusses CTI, the benefits of integrating into an organization’s defense strategy as well as the different threat sharing initiatives and alliances.

As organizations gear up to heighten their security posture, many will implement threat intelligence. In this blog, we will define what cyberthreat intelligence means for your organization and how to successfully leverage the information that is coming in to your SIEM ecosystem for cyberthreat intelligence.

What is Cyberthreat Intelligence?

Gartner defines CTI as evidence-based knowledge—including context, mechanisms, indicators, implications and actionable advice—about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.

“It can also be described as the process of detecting potential and actual threats using evidenced-based data, responding to them and defeating the attackers using forensic and logical data the attackers themselves leave behind,” according to SC Magazine’s Cyberthreat Intelligence e-book.

You want actionable data to provide a proactive defense. An effective CTI sets up the appropriate countermeasures automatically for drastically improved detection and response times.

CTI collects raw information and identifies broad behaviors to recognize and prevent attack points.

Next-Gen Log Management to Facilitate CTI

In order to make the raw data collected actionable, CTI requires a log management tool such as LogRhythm to correlate the information.

“The absolute minimum barrier to entry is a security information and event management (SIEM) or log management product of some sort. Then you at least have something to correlate the information that’s coming into your security ecosystem,” says Andrew Hay, CISO at DataGravity.

LogRhythm contextually structures every log message to help you not only store the log message, but also to understand what the data means.

Identify Nefarious Activity with a Distributed Set of Data

Every attack is different. Many will create a different pattern as it makes its way into your organization. However, all cyber attacks form indicators of compromise (IOCs). Feeding IOCs into your SIEM provides full visibility into your network. With this information, a SIEM will correlate the logs from across the network to form a distributed set of data.

Using the distributed data set, instead of looking at the attack pattern as a whole before automating a response, an effective CTI solution is able to identify various touch points as a potential hazard. It should need need only one command to thwart an attack.

With over 70 metadata fields that provide highly relevant data for analysis and correlation and over 900 preconfigured, out-of-the-box correlation rule sets, LogRhythm’s AI Engine builds trends and exposes statistical anomalies.

AI Engine provides organizations the ability to accurately define “normal” activities and automatically alarm for nefarious activities.

Make Data Actionable Out-of-the-Box

The goal of cyberthreat intelligence is to draw actionable data from the thousands of log files and data streams to identify signs of nefarious behavior. As mentioned earlier, SIEMs will be able to efficiently correlate log messages and set off alarms. Once your systems have detected those behaviors, an effective CTI product will automate your response based off of the digital evidence before a breach takes place.

“It’s not just detecting a potential attack or compromise, it’s a question of what you’re going to do about it,” says Michael Orosz, director of Decision System Group, Information Sciences Institute, Viterbi School of Engineering, University of Southern California.

LogRhythm’s SmartResponse™ operationalizes data out-of-the-box in order to make it actionable. SmartResponse provides automated incident response with an extensive library of pre-built actions by LogRhythm Labs.

Once an alarm is set off, it will pass the data to SmartResponse. From there, you can enable an automated response or a semi-automated response with a sophisticated approval process.

SmartResponse puts you in control of the actions necessary for automated remediation of the threats that matter most.

Employ Honeypots for an Adaptive and Proactive Response

Honeypots are isolated systems designed to look like part of the corporate network such as Web servers running enterprise applications. These decoy systems are easy to exploit, making them an attractive target for opportunist attackers.

Honeypots provide the actionable data necessary for cyberthreat intelligence without compromising the network.

By monitoring honeypot activity, an organization can learn about targeted threats and use this information to understand who they are being targeted by, what information their adversaries are seeking and how attack patterns will look within the network. This information enables proactive threat defense.

Cyberthreat intelligence combines data left behind by attackers and innovative analytics to create the next-generation of cybersecurity intelligence. Successfully collect and correlate logs, operationalize data and automate a response using LogRhythm, dramatically decreasing your organization’s time to detect and respond.