Threat Intelligence: Making your Bespoke Security Operations Centre Work for You

1
Threat Intelligence Making your Bespoke Security
Operations Centre Work for You
2
Previously, weve spoken about the following
subjects that are related to your Bespoke
Security Operations Centre for your
business What elements need to be used in the
design process? What your requirements will be
as you build your SOC. How your SOC will
identify potential threats to your business and
your customers.
3
Why choose Maximum Networks as your Managed
Outsourced IT Support Partner?
We have a wide range of IT desktop solutions and
print services for any business across the UK.
Not only do we offer high-quality services across
IT Services we offer business broadband
solutions, telecommunications and much, much
more.
4
The Role of Threat Intelligence within Your
Bespoke Security Operations Centre
Threat intelligence refers to knowledge of an
attackers activities. This can range from a
simple narrative around a threat actors
motivations all the way up to in-depth technical
descriptions of an attackers tactics, techniques
and procedures.
5
So, lets ask the question What is Threat
Intelligence?
6
Answer Threat intelligence is data that is
collected, processed, and analysed to understand
a threat actors motives, targets, and attack
behaviours. Threat intelligence enables us to
make faster, more informed, data-backed security
decisions and change their behaviour from
reactive to proactive in the fight against threat
actors. If you already have a Managed Outsourced
IT Support Partner working within your business,
then Threat Intelligence will typically be
conducted by them. The benefit to this is your
managed it services birmingham Partner is already
familiar with your technology, processes, and
sector of business.
7
This means that they can employ an effective
Threat Intelligence strategy that will help
defend your business and your client base from
cyber-attacks. Put simply Threat Intelligence
is a key part of attempting to stay ahead, or at
least, stay on par with attackers, whilst
allowing you to improve your bespoke SOC and its
protection levels.
The Threat Intelligence Platform One of the
tools in the armoury of your Managed Outsourced
IT Support Partner as they make sure that your
SOC is providing the best protection that it can
offer, is using a Threat Intelligence Platform.
8
So, lets ask the question What is a Threat
Intelligence Platform?
Answer A threat intelligence platform automates
the collection, aggregation, and reconciliation
of external threat data, providing security teams
with the most recent threat insights to reduce
threat risks relevant to their organisation. A
Threat Intelligence Platform is a place for your
SOC to store, correlate and manage Threat
Intelligence sources and potential sources. They
are configured to analyse Threat Intelligence
feeds from Threat Intelligence providers and are
linked to your SIEM tool to enable automated
detection of Indicators of Compromise.
9
There are a multitude of Threat Intelligence
Platforms available on the market, so its
important that your Managed Outsourced IT Support
Partner finds a tool that works for you. Already
knowledgeable in the business sector you operate
in and with your infrastructure, including
hardware, firmware and software, they are in the
ideal position to put the right tools to
work. Once you have a Threat Intelligence
Platform in place, youll need to have Threat
Intelligence Feeds in place that provide your SOC
with the most value to identify the threats out
there. Open-source feeds provide your
organisation with a range of intelligence as well
as commercial feeds that provide a slightly more
bespoke service.
10
The key parts of implementing a Threat
Intelligence Platform are
11
Make sure that you dont drown in low confidence,
out-of-date Indicators of Compromise Remember,
it is very easy for attackers to change an IP
address. Be wary that some threat feeds may not
include best before dates and over time this
could lead to the SOC inadvertently flagging
legitimate addresses as malicious. Dont
underestimate the value of triaging intelligence
(whitepapers, reports, news articles) ensuring
that analysts have time to read and digest
intelligence reports that will lead to better
understanding. Score intelligence according to
value If it constantly produces false
positives, then perhaps review the sources youre
using. Make sure that your Threat Intelligence
sources are providing value. It is a very
competitive market, so theres no need to put all
your eggs in one basket.
12
So, lets ask the question What are Indicators
of Compromise?
13
Answer An Indicator of Compromise (IOC) is a
piece of digital forensics that suggests that an
endpoint or network may have been breached. Just
as with physical evidence, these digital clues
help information security professionals identify
malicious activity or security threats, such as
data breaches, insider threats or malware
attacks. Unfortunately, Indicators of Compromise
monitoring are reactive in nature, which means
that if an organisation finds an indicator, it is
almost certain that they have already been
compromised. That said, if the event is in
progress, the quick detection of an Indicator of
Compromise could help contain attacks earlier in
the attack lifecycle, thus limiting their impact
on the business.
14
Examples of Indicators of Compromise

• What are the warning signs that the security team
  is looking for when investigating cyber threats
  and attacks? Some indicators of compromise
  include
• Unusual inbound and outbound network traffic
• Geographic irregularities, such as traffic from
  countries or locations where the organization
  does not have a presence.
• Unknown applications within the system
• Unusual activity from administrator or privileged
  accounts, including requests for additional
  permissions.

15

• An uptick in incorrect logins or access requests
  that may indicate brute force attacks.
• Anomalous activity, such as an increase in
  database read volume.
• Large numbers of requests for the same file
• Suspicious registry or system file changes
• Unusual Domain Name Servers (DNS) requests and
  registry configurations
• Unauthorized settings changes, including mobile
  device profiles.
• Large amounts of compressed files or data bundles
  in incorrect or unexplained locations

16
Source Page-
https//www.maximumnetworks.co.uk/threat-intellige
nce-making-your-bespoke-security-operations-centre
-work-for-you/
For more Information Get in touch at
https//www.maximumnetworks.co.uk/contact or call
us on 0330 041 6308 today!