Chapter 2: Understanding Threat Management

outlines processes for managing the cyberthreats that employ
the cyberattack lifecycle against your organization.
Threat Management Processes:

Let’s take a closer look at the three components of threat
management: threat detection, response, and recovery. Each
of these components must function effectively and efficiently
in close coordination with the others to minimize the negative
impacts of threats.

1 Detecting threats targeting the organization
2 Responding to detected threats
3 Recovering from damage caused by threats


Detection:

1.Forensic data collection and processing:

Most organizations have huge volumes of security-related
event data that need to be analyzed for threat management
purposes. This data comes from four categories of sources:
enterprise security control logs, endpoint software logs,
network flow data, and asset data.

This disparate data is collected in a centralized location, but
it’s not of much use unless it’s converted from the original
data formats to a universal format. This conversion involves
several processing functions, including extracting key data
fields and standardizing values. Once the data is in a universal
format, it’s an incredibly rich source of raw information
regarding threats and their actions.


2.Discovery through security analytics :

Because of the sheer volume of events needing review, organizations must rely heavily on machine analytics, which use
a variety of techniques to identify and prioritize suspicious
activities. Since they’re so labor intensive, search analytics are
largely performed on an as-needed basis, such as searching
for events with a particular characteristic – for example, a
source IP address associated with other attacks. Organizations
also often use dashboards to monitor security events at a
high level; observing these dashboards and drilling down into
events on the dashboards is another form of search analytics.


3.Qualification :

Assigning less-knowledgeable people to the qualification role is a recipe for disaster because it will frequently lead
to wrong actions or no action at all.

The output of qualification is verified security intelligence
indicating that the organization’s response capabilities need
to address the detected activity. In other words, qualification
may result in declaring that an incident has occurred or is
about to occur.


Response :

Response actions start with an investigation of the security
intelligence associated with an incident, and conclude with
mitigation of the threat or threats captured by that security
intelligence. All of these response actions are planned and
tracked through incident management processes.


Investigation:

During an investigation, security administrators review the
incident’s related security intelligence, such as analyzing the
alarms triggered by the potential threat, to determine how
the threat should be handled. This review often seeks broader
patterns that could indicate a wider compromise in progress.
For example, an alert for an attacker moving from one system
to another might indicate only one in a series of lateral movements through the enterprise.


Mitigation 
:

During an investigation, security administrators review the
incident’s related security intelligence, such as analyzing the
alarms triggered by the potential threat, to determine how
the threat should be handled. This review often seeks broader
patterns that could indicate a wider compromise in progress.
For example, an alert for an attacker moving from one system
to another might indicate only one in a series of lateral movements through the enterprise.


Recovery:

It’s common for mitigation and
recovery actions to go on simultaneously; for example, system
administrators patch vulnerable laptops while other administrators collect and rebuild laptops that were already
compromised.

Time keeps on slippin’:

Typically, the recovery component
isn’t measured as a whole because
it’s so different from case to case.
However, certain parts of recovery
can be measured, such as how long
it takes to notify customers that
their data has been breached after
the attack is discovered.

organizations should focus
on measuring the responsiveness of
their threat management detection
and response components. These
measurements are known as mean
time to detect (MTTD) and mean
time to respond (MTTR). MTTD
indicates the time elapsed from
the start of an attack or chain of
attacks until it was noticed by the
organization.


Security Intelligence and Analytics Platform:

Organizations should strive to reduce their MTTD and MTTR
by implementing a single, unified security intelligence and
analytics platform. This can best be accomplished by adopting

a SIEM solution that offers fully integrated, highly mature
incident and threat management capabilities.


The Role of Threat Intelligence
:

Organizations increasingly use third-party threat intelligence
feeds to improve their threat management capabilities, as well
as other aspects of their security. For example, one of the most
common uses of threat intelligence feeds is to improve the
detection and prioritization accuracy of SIEM technologies.
TECH TALK :Whether threat intelligence comes into the organization
through a SIEM or another route, it’s important that it be
linked through automated means to the organization’s
security intelligence and analytics platform. Linkage allows
the threat intelligence to be fully integrated with other threat related information to give organizations better insights into
the nature of suspicious activities involving their systems and
networks

———————————————Collected from Definitive Guide™ to Security Intelligence and Analytics————————————————————————–https://logrhythm.com/pdfs/3rd-party-whitepaper/lr-definitive-guide-to-security-intelligence-and-analytics.pdf————————————

Shajib Mahmud

Leave a Reply

Your email address will not be published. Required fields are marked *