How Threat Intelligence Platforms Can Expand Detection and Response

0

Article by ThreatQuotient APAC Sales Manager Robert Streamer.

As the new year continues to unfold, cybersecurity budget makers will be deeply engaged in the process of identifying where to allocate funds to best improve protection against cyber threats. The good news is that budgets are growing, with industry commentators frequently reporting that companies are spending more money strengthening their position against persistent and sophisticated threats.

Extended detection and response (XDR) is firmly on the list of preferred approaches, which has rapidly gained momentum over the past couple of years. Analysts predict triple-digit market growth as companies aim to implement a comprehensive, end-to-end security approach. However, before companies plunge headlong into XDR investments, it is worth exploring what we mean by XDR, how it integrates with existing tools, and where threat intelligence platforms can be leveraged to helping businesses bridge the gap between what they have now and an ideal future. state of effective XDR.

XDR – what is it?

Currently, there are several definitions aimed at capturing what constitutes XDR, but we believe ESG analyst Jon Oltsik offers a solid summary, describing XDR as: “an integrated suite of security products spanning architectures hybrid computing, designed to interact and coordinate on threat prevention, detection and response.In other words, XDR unifies control points, security telemetry, analysis and operations in a single enterprise system. »

Indeed, XDR is not just a combination of one or two security tools, such as EDR and SIEM. It must be able to normalize and correlate data from all security tools – across multiple vendors and form factors – and automatically act on the information provided.

The challenge for organizations when exploring how to implement XDR for their business is that they are all unique. Over time, they have organically built a heterogeneous suite of protection technologies and tactics based on the needs that have arisen and the threat they pose to the business. Tools have been purchased to address specific aspects of cybersecurity threats and management: firewall, antivirus, endpoint detection and response, to name a few. As a result, the security field is often sprawling, and large companies can have up to 80 vendors on their books. Some are household names, and some have been chosen as the best in their particular use case for the organization. Many – born before the shift in philosophy to open APIs and integration – locked in their customers in an effort to maintain their position in fiercely competitive markets.

Unsurprisingly, the result is that there’s very little appetite to rip up and replace that legacy investment with an entirely new solution. Additionally, in a rapidly changing environment, new tools and vendors will continue to emerge to address new use cases, and businesses want to retain the flexibility to integrate new solutions as needed. Therefore, tearing out existing systems and putting all their safety eggs in one basket is unattractive.

Where Threat Intelligence Platforms Can Power XDR

Instead of undoing all previous security investments, the best approach is to find a way to unlock the silos to better integrate and operationalize the wealth of data that organizations are already collecting. A threat intelligence platform functions as a repository for data and intelligence from internal and external resources and should be an intermediary between existing security technology and cloud-based security offerings. The power of the platform provides seamless integrations with existing tools, allowing security teams to benefit from all the information that already exists in their security setup without experiencing data overload.

Once collected, a key function of the platform is to contextualize the data. By acting as a single source of truth for teams and leveraging third-party feeds, internal data is enriched with context. When this is overlaid with policy decisions and risk analysis, alerts can be automatically prioritized. This helps security teams identify the threats most relevant to them and the priority in which to manage them.

A well-implemented threat intelligence platform also reduces the number of false positives. For example, intelligence feeds known to be particularly chatty or more likely to provide false positives may be assigned lower priority scores than an internal Splunk feed. This helps teams reduce noise and have confidence in the validity of the alerts they receive. This results in accelerated security operations and a better working environment for security teams.

Build a corporate cybersecurity memory

One issue that many organizations are struggling with – especially right now – is staff turnover. The human capital lost when analysts leave is significant; this can leave companies exposed until new employees catch up. A threat intelligence platform creates a record of identified threats and how they were triaged and handled. This creates a corporate memory of the threats and responses the business has faced, allowing new team members to benefit from the work of their predecessors.

Ultimately, as organizations continue to transition to comprehensive XDR, they need to consider how a threat intelligence platform can power effective XDR and help their security teams accelerate operations without undoing historical investments.

Share.

About Author

Comments are closed.