Ran Mosessco from Websense Security Labs has a very interesting post on solving a key issue every Security Analysts in a SOC (Security Operations Center) faces – the overwhelming amount of security alerts (even after correlation), also called Attack Indicators, an Analyst has to acknowledge and investigate.
Actionable threat intelligence is buried deep within terabytes of seemingly interesting but irrelevant data. Plausible deniability, false positives, lack of traceability and attribution, skillful attackers, adaptation of warfare techniques, and the like only add to the confusion. How does one bubble up prioritized, actionable threat intelligence in an automated fashion from the depths of the data morass?
This approach is still at a nascent stage and requires further study and we need to come up with an implementable solution. But I think this is a good place to start, and the following lines capture the way forward, accurately:
With attacks becoming more advanced and sophisticated each day, combining big data engineering, unsupervised machine learning, global threat intelligence and cybersecurity know-how is required to deal with them in a timely, automated and efficient manner.
This topic is one of my key focus areas professionally, and so I will be writing more about it here.
Title Image credit: communities.websense.com