Event Recording

Anett Mádi-Nátor: Let's Talk Cyber Threat Intel - How Does it Fit in SOAR?

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Automated cyber threat intelligence. What that is good for what that is not that good for whether you, and whether you can automate this at all. These are the, the primary topic areas for me to, to, to discuss today. Before we jump into the topic, let me briefly introduce the company that I represent because I was kindly introduced by the, the moderator as a president president for women for cyber foundation Europe, which is, which is quite right. And this is a very passionate rule that, that I'm happily taking. On the other hand, my daily job links me to a cyber security service provider and absolutely knowledge based cyber security service provider called cyber services. And I am responsible for strategic business development and also the operations. And so as my company is quite heavily involved in certain cyber threat intelligence procedures, we thought it's a nice idea. If, if, if I sort of presented or approach it somehow during this conference, additionally, we quite strongly collaborate with the European cyber security organization. We are a member of the strategic committee and also the member of the board. So we, we sort of see, we have a very good view of what comes in the, in the coming two, three years in the European cyber security related legislation. So I would like to highlight these approaches briefly as well.
So let's start what needs to be understood. I believe regarding cyber fact intelligence is how we position it within the cybersecurity arena. In general, perhaps you see my slides, there are five key areas or main areas of cybersecurity that are commonly identified now. And one of them is actually highlighted here that is the preventive or proactive security. That's a kind of approach that, that is new from the perspective that when we started discussing cybersecurity in general prevention, wasn't really in the focus cybersecurity and, and even more cyber defense and, and information assurance and information security where the whole thing came from per se, concentrated at the first time, concentrated primarily and almost exclusively on defense. So defensive and, and, and let's say post handling approaches were the ones that everyone praised and concentrated on, but as, as time passed and we also formulated cybersecurity and formulated the sub areas of cybersecurity, I think quite advantageously, the preventive or proactive security approach was, was also formulated within that cyber threat intelligence fits quite well.
And, and if you take one step further, we can easily reach applied intelligence. This will be also discussed in my, in my speech a bit later. So what else do we have here? We have managed security. We have incident response, we have mitigation and information exchange. And what I just wanted to show you just to give a sort of insight into heavy approach cyber threat intelligence is that for preventive or proactive security, cyber threat intelligence really has a very strong role. It, it really collaborates as an input area, a little bit static, but still very important input area for applied intelligence. It creates situational awareness. Those colleagues who deal with ethical hacking also work a lot with CTI inputs. Gamification when that we use for capacity building also has a lot of, so lot of CTI inputs, actually the scenarios that we use for, for cyber threat, no, the scenarios that we use for, for cyber drills gain a lot from the cyber threat intelligence scenarios.
And that is true for the cyber exercises as well. And the first question or the, the original question of, of my presentation was like what cyber threat intelligence, what cyber threat intelligence is good for and, and whether we can automate it. Now, my answer is absolutely to the second question. Yes, we can input automated cyber threat intelligence to discharge. I'm going back in my presentation. Hope you can see my pointer to the preventive and proactive security submarine of cyber security. Additionally, why, what I would like to draw the attention to is that that capability that is highlighted in red is the one that is usually missing at the majority of organizations. So that is basically the hardest to produce in house. So if someone goes to the direction that they start thinking about implementing something that can provide an automated cyber threat intelligence input, then they are moving to the right direction.
Additionally, when it comes to managed security services, cyber threat intelligence can also give a lot of additional and useful inputs. Let's talk about monitoring. Let's talk about log management. Let's talk about incident management. So cyber threat intelligence, and especially those parts that can be automatedly inputted into those systems that provide managed security services to clients. Then, then, then we gain additional input. Let's move on incident response. Sometimes we, we get the question like, can we automate incident response steps, incident response measures, and operational layers. And the answer is absolutely yes, by now security operations centers and, and, and so service providers have a lot of, a lot of automated methods and means for incident investigation for, for gaining IOCs, for gaining IASS. Some certain parts of CTI analysis can also be automated. That that is used for incident investigation at hoc reports are usually not easy to automate.
So these are not the ones that we automate, but for forensic methods, we also use a lot of automation. Additionally, if we speak about mobile analysis, that's an area where automation can play a lot, a lot of. So, so that, that gives a lot of added value for these areas. We sort of, by now, we sort of implement hybrid methodology, which covers automation primarily, and those inputs that are gained through automation or machine to machine investigation procedures are actually checked and, and verified by humans by experts. And this is the way how we incorporate the two, the, the automated way and the human value. So I believe this is, this is a kind of approach that may be advantages used in the near future. Some more things I would like to jump through because as I see I'm, I'm running out of time, this is just one snapshot for you to, to have a very quick overview of how structure cyber threat intelligence.
There are three layers that we, that we use first is the tactical layer when we investigate what is happening and, and specifically, and, and how that thing is happening. The audience of this area is the security operations center Analyst, the CSS, vulnerability, and patch management, and these areas, these target areas can receive a lot of automated inputs. So I believe CTI fits into automation on tactical level quite well. Next level is operational CTI here, the old and, and the operational level usually provides answers to the very specific questions and typical questions like where is that thing is happening? When is the incident happening and how is the incident happening? But from a broader perspective, the audience here is it operations road management, security, architecture, management, crisis management experts in crisis management. People. Their work is also very much, very well supported by, by automated methods, but here the human added value is getting a bit more important than on tactical layers. If I may say that. So, so here is the first point when we still identify a lot of added value from the human check per se. The next one is the strategic layer where obviously the audience is board executives. So it's the C level, the senior management.
This is the point where we still have a lot to go in specific relation to how to automate decision support systems properly, how to automate those processes that provide human, that provide those inputs that are understandable for humans and, and support these, the situational awareness per se, for the sea level. So, so, so this is basically the area where I would like to see some new systems available and some new methodologies available. Yes. Basically to, to, to sum this up, how to automate C ETI. There are a lot of automate, there are a lot of re tasks that we can automate such as notifications of data breaches, rollout of consent notifications, data collection, documentation of all the data, technical documentation of all the data that the enterprise or the organization holds. So that's one potential point here. The second one is, is automation of internal source collection of CTI.
And, and a lot of our did value can be created if the organization or the enterprise introduces a well designed and effective log management, that this is an area, a technical area where, where we still have a long way together. There are solutions available, but some of them are optimized to really large enterprises. And some of them are optimized to smaller scale block management. But nevertheless, the, the, the aggregation and integration of, of logs is, is, is still sometimes an issue as a fourth point. We can automate CTI feeds from external sources. So basically the information exchange can be very well automated, especially if you join or, or the enterprise joins a trusted community like miss in Europe, or if, if a professional CTI service provider or feed provider provides automated inputs, there are brilliant service providers on this area. And as a large, let's say input is the, is basically the security orchestration automation and response product that you can implement at your enterprise with concentrating on those cyber security tools that are able to incorporate cyber threat intelligence feeds.
So that would be my 2 cents on, on, on this topic. And here we go, the key issue perhaps applied intelligence. And that's the area. What is, is, is still a little bit difficult to automate properly. What's the difference between CTI and applied intelligence? I just, I'm just giving you a very well known definition for that. Let's talk applied intelligence applied intelligence is basically emerge of traditional intelligence and cyber threat Intel. And additionally, it's, it's this, the professional area where we actively interfere in the attacks and, and the attacker activities. This is why it still needs a lot of human interaction, not to mention the inputs from traditional human intelligence that we use quite extensively to these purposes. I have some more slides on actionable information, how to get that and further analysis topics like competing hypothesis, whether we can automate it or not. So my recommendation is as, as I see that I'm running out of time, that I'm very happy to share my presentation with the event. Organizers, should you be interested go through this? And I'm also available for questions. If there are any such things, thank you for your attention.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00