Achieving Threat Intelligence Feeds Using SIEM

By Paladion

December 16, 2015

Achieving Threat Intelligence Feeds Using SIEM

With the scale of cyber security threats today, companies are employing next-generation security methods, such as Security Information and Event Management (SIEM), to provide a comprehensive outlook of their network’s threat assessment situation quickly and efficiently. According to the Mandiant 2015 Threat Report, identifying a data intrusion takes an average of 205 days.

SIEM, in this regard, helps businesses correlate different events and situations across multiple systems using near-real time analysis tools and collects data logs to provide alert notifications and compliance reports. By centralizing the data, it allows for significantly quicker identification of threats, giving you ample time to take the appropriate actions to prevent any substantial loss of sensitive data.

However, SIEM systems usually lack the depth and tools to provide a more robust cyber security defense mechanism without the integration of threat intelligence feeds. Companies that avoid threat intelligence feeds usually do so because of the lack of resources and the difficulty of maintaining its use. Here, we share the importance of integrating SIEM with threat intelligence feeds and how your company can achieve this integration.

What is threat intelligence feed?

A threat intelligence feed service tool collects data from numerous sources and performs a threat assessment by generating actionable information in the form of data feeds. These include IP addresses, phishing data, malware hashes, open source data, and malicious domains. With threat intelligence feeds, you are able to take a step further in cyber security. Its use of large-scale analytics makes it a lot easier for organizations to prioritize security risks from different sources in a quick and efficient manner.

With a SIEM system that is fully integrated with threat intelligence feeds, organizations benefit from better context. This means that processes, such as incident investigation and alert triage, become a lot faster that helps receive information for evaluating context much quicker. More importantly, organization can maintain a database of past threats and incidents, and achieve greater counter-threat detection and prevention tools.

How to integrate threat intelligence feeds with your SIEM?

Achieving threat intelligence feeds with your SIEM involves the knowledge to configure the right feeds with your SIEM system. You can check if your SIEM vendor offers the option to integrate threat intelligence feeds with your current system, or you can choose another SIEM vendor who provides you with these facilities.

But since threat intelligence feeds are relatively new in the security industry, the options can be far-ranging and can be difficult for you to choose the one that meets your organizational needs. The following are three factors for choosing the right threat intelligence feeds.

  • System alignment

This involves looking at the type of threats your business face on a frequent basis and which ones are not being captured and resolved in an efficient manner.

  • Sensor capabilities

This involves assessing the strengths and weaknesses of your SIEM or another threat intelligence service system. It answers the questions like  what kinds of threats are you currently able to detect and not detect, what sensors have you put in place and what do you need to deploy in the future? A company should carefully assess whether it has the financial and technological resources to be able to choose complex feeds.

  • Smart gap analysis

This looks at which threats can be resolved more efficiently with a particular threat intelligence feed. This will be very important for choosing from a multitude of threat intelligence feeds to suit your organizational cyber security challenges.

You should ensure that the feeds you choose are easy to deploy and do not require extensive operational usage and increase your threat detection time. The use of feeds, such as number of entries, for example, can make the cyber-security a lot noisier. In other cases, the frequency of matches with your IT system, which, although, is very useful and reliable, can be very difficult to attain, since it requires heavy operational usage.

Therefore, your top considerations for choosing feeds should primarily be:

  • How much will the feed reduce my threat detection time?
  • How much of this feed will help me detect threats that I would normally miss?

These two questions along with the aforementioned factors will go a long way in helping you choose the right threat intelligence feeds for your SIEM system.

Paladion is a pioneer in providing next-generation cyber-security solutions to organizations. Our work in the security industry of more than a decade gives us considerable insights to the complex challenges organizations face and some of the solutions required to mitigate these challenges for a sustainable and robust IT management and network security infrastructure.

Tags: blog