Government security operations centers and incident response teams are long past the point of hoping to keep pace with cyberthreats by relying on traditional processes for detecting, analyzing and responding to threats.
The challenge is that analysts spend so much time trying to sift through the endless stream of data points, they have little opportunity to translate that data into intelligence about the overall cyber posture of their agency, or to take a more proactive approach to cybersecurity.
“The volume of attacks – and the sophistication of the attacks – will only get worse as you go, but you only have a limited amount of resources in terms of the tools you can use and the experts you can hire,” said Joon Shin, a Sales Engineer with ThreatConnect, which provides an intelligence-driven security operations platform.
Consider the task of assessing suspicious emails and links, which are some of the most common threats that agencies face. The traditional manual process for investigating such a threat – identifying the IP address, checking it against various threat intelligence databases, and so on – is time-consuming, repetitive work, which, while necessary, is painfully inefficient.
The good news is that because the work is process-driven, it can be automated – from the detection and investigation of a possible threat to protection and response. The same holds true with many cyber processes. But rather than simply automating individual tasks, agencies should look to orchestrate processes across the IT environment.
Together, automation and orchestration accelerate cyber operations and eliminate human error, while also freeing up analysts to focus on higher-value work, such as threat hunting, Shin said.
But that is only half of the solution. To fully understand their threat environment, agencies need to leverage threat intelligence to develop real-time cyber situational awareness. Rather than look at individual threats in isolation, the goal is to put them in context by aggregating and correlating data from multiple sources.
For example, a user-reported phishing attempt might seem like a low-level incident. But once correlated with other data points from across the enterprise – and viewed in light of data from other organizations – that phishing attempt could prove to be part of a multipronged, systematic attack that has been underway for months. Again, automation is critical to this approach, accelerating the time it takes to collect, analyze and arrive at actionable insight.
It is also essential to have a centralized repository for threat intelligence, including both external intelligence feeds and internal historical data. “Having everything contextualized and normalized on a single platform really helps you connect the dots,” Shin said.
ThreatConnect’s founders developed this approach to security operations in large part based on their experience in the defense cyber community. They found that other popular approaches, such as security incident and event management or feed-centric solutions, simply did not provide analysts with the actionable intelligence that they needed when they needed it.
In today’s threat environment, that is a mistake that agencies cannot afford to make.
Takeaway: Agencies need to approach their security operations like a business owner, investing in tools that enable their analysts to bring more value to the mission.
This article is an excerpt from GovLoop’s recent guide, “The Top Government Innovations of 2019.” Download the full guide here.