Organizations that value their security and look to arm their security operations center (SOC) with tools to help them accelerate incident analysis rely heavily on threat intelligence and insight to prioritize alerts.
The source of this threat intelligence has historically been focused on the network. Network security solutions, such as firewalls, are very mature and were a natural control point for data in a world where the majority of users worked in centralized locations. This was augmented by endpoint threat intelligence with the adoption of EDR solutions that can analyze actions occurring on the endpoint device.
As threat actors continue to evolve their evasive tactics, threat intelligence needs to expand in order to give SOC analysts the level of enrichment they need to quickly and accurately respond to threats.
SOC teams pull data from numerous sources in an attempt to identify malicious behavior. Correlating multiple sources can uncover malicious intent that would otherwise appear to be multiple unassociated events and therefore go unnoticed.
Not the same sources as from other existing solutions. Duplicating data doesn’t make an organization more secure, in fact it can cause confusion. Instead look for intelligence that offers an additional perspective on the threat landscape. While there are many sources of insight into network, endpoint and application threat intelligence, consider the threat vectors that are being targeted by threat groups – such as the web browser – and ensure that those are adequately covered.
Intelligence for the sake of intelligence does not necessarily improve security or speed up threat detection. A core consideration for integrating threat intelligence is how actionable it is. What do you do with it and what are the expected outcomes should be the leading considerations.
Actionable intelligence will provide a range of data that will enable a security team to accurately identify threats, provide prioritization on targets and response efforts and reduce the time taken to detect and respond.
Any intelligence source needs to seamlessly integrate with existing security information and event management (SIEM) tools rather than a standalone system. Rather than build a complex system of data sources, organizations should, if possible, look to consolidate threat intelligence sources, without compromising coverage breadth.
Menlo accelerates incident response workflows by providing context rich, actionable intelligence around browser based highly evasive attacks targeting users. Through continual analysis of customer web traffic and multiple AI/ML powered classifiers Menlo is able to uniquely identify the presence of highly evasive attacks. Additionally, timely, actionable alerts enable security teams to significantly reduce mean time to detect (MTTD) and mean time to respond (MTTR) to any highly evasive threats that could be targeting their users.
Menlo Security’s isolation core analyzes every activity users perform on their browsers, which allows HEAT Visibility to quickly and accurately understand and correlate events within each web session and deliver threat data which provides a complete picture of web-based attacks that would otherwise require multiple security solutions and manual data integration efforts. By understanding details such as impersonated brand logos and end user actions including data and credential entry, security administrators can easily see this is a critical event that they need to respond immediately to. HEAT Visibility alerts can be viewed via a dedicated dashboard and the Insights analytics tool in the Menlo Security admin portal, as well as consumed via API directly by your SIEM/SOC platform(s).