Threat Intelligence Informed Risk management is the process of identifying, assessing, responding, and implementing the activities, which control how the organization manages the potential effects of risks. it has a prominent place throughout the security lifecycle and is a continuous and ever increasing complex process. The types of risks vary from organization to organization but preparing a risk management plan will be common among all organizations. Risk management helps organizations identify critical IT assets and ‘critical accesses that are important for the organization to function.
Threat intelligence plays a major role in an organization’s risk management process. it helps organizations understand various aspects of threat environment such as nature of threats and identification of vulnerabilities, so that they can develop appropriate security solutions tailored to their needs to reduce the risk.
Threat intelligence -informed risk management provides organizations with the following:
. Information assurance
. Detailed information about security vulnerabilities
. Determining possible threat actors to the organization
. Identification of new vulnerabilities
. Analysis of history to identify possible emerging threats along with their TTPs
The above information is continuously monitored and updated to implement various mitigation strategies for the evolving threats. Threat intelligence also provides information related to security threats such as physical risks and human factors, which describe the complete risk profile of an organization. it provides organizations with contextual information that helps in identifying various cyber security risks to their IT assets and in strengthening their overall cyber security posture.
The diagram in the slide illustrates threat intelligence-enabled risk management process.
Frame: Frame helps organizations create a context for their risk-based decisions and execution plan for assessment, monitoring, and response. Risk framing generates detailed information about various sources and techniques used to gather threat information that is fed as input to risk assessment. Threat intelligence is used to understand the direction and operations needed to perform risk management.
Assess: Assess helps the organization perform analysis and identify the level of risks to the organization. In this phase, threat intelligence plays a major role in identifying, assessing, and tracking potential threats to the organization’s IT assets. Threat intelligence also helps in evaluating the current vulnerabilities of the organization against the identified threats.
Respond: Respond suggests what actions the organizations need to perform after the identification of risks. It addresses different courses of action that are best for the organizations. Threat intelligence helps organizations evaluate and implement these courses of action to achieve maximum effectiveness. The cyber kill chain and diamond models are used at this phase as a basis for communication between threat intelligence analysts and risk managers.
Monitor: Monitor helps organizations verify whether the courses of action are properly implemented or not, evaluate their effectiveness, and further observe the changes that impact risk assessment. Threat intelligence helps in monitoring ongoing threat changes to provide real-time support to security decisions and practices.
Integration of Threat Intelligence into SIEM
Security incident and event management is also known as security information and event management, which performs real-time SOC ·functions such as identifying, monitoring, recording, auditing and analyzing security incidents. It also provides security by tracking suspicious end-user behaviors within a real-time IT environment.
Security incident and event management protects organization’s IT assets from data breaches occurred due to internal and external threats. Organizations integrate threat intelligence into SIEM to take control of chaos, gain in-depth knowledge of threats, eliminate false positives, and implement proactive intelligence-driven defense.
Listed below are the benefits of integrating CTI into SIEM:
– Integration of CTI into SIEM helps organizations quickly thwart evolving threats that create high impact on their IT assets.
– CTI provides real-time support to SOC analysts to identify and take appropriate actions upon indications of compromise scenarios.
– Threat data feeds integrated with SIEM enhance the effectiveness of threat detection mechanism, reducing the false positive alarm rates.
– CTI provides SIEM with the capability of providing real-time alerts of upcoming threats along with the complete understanding of the threat and its TTPs.
– High-quality threat intelligence feeds provide contextual information that speeds up triage of alerts and incident investigation process .
– CTI enhances the threat tracking process by combining internal monitoring logs with external and internal threat intelligence.
– CTI provides SIEM the capability to verify historical data towards the current threat intelligence data to uncover unknown threats.
– CTI integrated with SIEM helps organizations use contextual information such as loCs to prioritize incidents, retain historical threat data along with related indicators and past incidents, and generate threat profiles.
– CTI is used to find the scope of an incident by relating the local observations to the threat data feeds to identify all the compromised IT resources and traces of an attack.
– CTI helps analysts mitigate advanced threats by collaborating on response and protection mechanisms without analyzing huge volumes of log data.
– CTI allows proactive analysis by pivoting outside the threat information and known loCs to add context and intelligence to the evolving threats.
– CTI integrated with SIEM adds context and relationship to the identified indicators that enable organizations to understand the nature of threats and the level of risk they pose to their IT assets and provide an effective response.