Light Dark
March 6, 2020 By Chris Meenan 3 min read
Incident Response
Risk Management
Threat Hunting
Threat Intelligence

Threat management is a framework that is often used to evaluate and manage everything you can do to detect and respond to cyberthreats. It encompasses people, process and technology, and for effective threat management, all three should work together seamlessly.

Of course, that’s easier said than done. When you look at just the technology piece of threat management, there’s obviously a lot out there. This is reflective of cybersecurity in general, where organizations are using an average of 25 to 49 disparate tools from up to 10 different providers. This has created additional complexity and led some organizations to undergo tools rationalization to better understand what they are getting out of each tool, where there may be overlap and where there may be gaps. But even after working through that type of exercise, different, fewer or more point solutions are not always the best way forward.

Challenges to Effective Threat Management

Too Much Unactionable Threat Intelligence

There is a disconnect between threat intelligence itself and what makes it actionable to an organization. Gathering threat intelligence is not a problem with numerous threat feeds available today, but the volume of threats makes it difficult for security analysts to prioritize which to focus on. A recent conversation with a security leader summed up this challenge. He said that one of his big initiatives is implementing “managed threat intelligence,” his term for a way to deliver prioritized threat intelligence to his team, rather than giving them everything available.

Finding Insights Within Decentralized, Distributed Data

As the number of security and IT tools has grown, so has the amount and location of data, according to a 2019 IBM-commissioned study conducted by Forrester Consulting. Most organizations are using on-premises solutions and multiple clouds, even if they may not realize it. Furthermore, the data itself is not uniform or predictable. Thus, if an analyst or threat hunter needs to find some type of indicator within an organization’s environment, it is very difficult and time-consuming to search across the disconnected sources. Furthermore, as each new data source is added, it only increases the integration costs and complexity. In the past, organizations have looked to centralized data lakes for the answer, but as data volumes, costs and veracity have continued to increase, particularly across multiple cloud and endpoint platforms, this approach can have limited success.

Lack of Skilled Resources to Manage the Number of Threats

It’s no secret that there’s a lack of skilled cybersecurity analysts today, and everyone is pulling from the same talent pool. Furthermore, the high levels of stress reported by security professionals, from analysts to chief information security officers (CISOs), does not help this problem. The disconnect between the number of people managing and prioritizing threats and the number of people responding to incidents can hold organizations back from getting to where they want their threat program to be.

In essence, each one of these challenges has to do with some type of disconnect: Threat intelligence without a connection to an organization, data spread across different tools and silos and a mismatch in the supply of resources required to do the work.

Shift to a Connected Approach to Threat Management

We believe there’s a need for a different approach to threat management other than continuing to add more threat feeds or additional tools without the people to use them effectively. One way to shift to a more connected approach is to focus on a one-to-many integration rather than reducing or adding individual tools. Using capabilities that maximize existing security solutions and data sources can help organizations advance their threat management initiatives in multiple ways.

Tailored Threat Intelligence for More Efficient Identification

If threat intelligence feeds are connected to information about your organization, such as industry and geography, they can be automatically prioritized based on their relevance to your business. This will cut down on the amount of intelligence that analysts need to evaluate. Furthermore, with a connection to your existing environment, you can more quickly and easily see if a relevant threat is actually active in your organization and needs more investigation or immediate response.

Consolidated Search Capabilities That Improve Visibility and Response Time

If a search capability is able to sit on top of and connect to all security tools and data sources, security operations center (SOC) analysts will not need to dig into each individual one to search for an indicator of compromise (IoC). Connection is key here, because migrating all of your data into one place introduces cost and complexity. By connecting data without having to move it, security analysts can save time, gain visibility and improve their efficiency when investigating threats.

Embedded Automation to Help Free Analysts for Higher-Value Tasks

If automation is embedded in your security capabilities, it can help free security analysts from doing manual and repetitive tasks so they can focus on higher-value responsibilities, such as proactive threat hunting. Furthermore, automation that’s connected not only to other security tools but also to broader IT tools can help improve and speed up incident response processes and orchestrate actions across the wider enterprise.

A connected approach to threat management can help organizations implement a more effective program. With IBM Cloud Pak for Security, we are connecting data and workflows to help make connected threat management easier to attain.

Watch an intro to IBM Security’s open, connected platform

 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | 
Chris Meenan
VP, Product Management, IBM Security

More from Incident Response
October 6, 2023

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

September 27, 2023

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

August 31, 2023

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature