Meaningful Context for Your Endpoint Threat Investigations

By on Jun 29, 2020

Threat intelligence (TI) — the art of distilling down everything that is happening globally in the adversarial threatscape and TI Programs – reducing  to what is necessary context for your company and your security team to know and take mitigation action against — is hard. Yet, many companies continue to try and create a threat intelligence capability from the ground up and find that their TI programs are not what they really want it to be. No wonder, then, that while 64% of companies say they have threat-intelligence programs, only 36% believe they would catch a sophisticated attacker, according to an Ernst & Young report on cyber threat intelligence What is causing the disconnect in effectiveness of those TI programs? 

A significant portion of the problem with TI is that the human analysts must absorb the global TIprioritize it for their organization, and then locally-operationalize any intelligence relevant to their company – and that’s not easy! Having access to TI is only the first step on the road to adding context to events that your team is seeing inside the network. Turning external threat feeds or data from a Threat Intelligence Program (TIP) into useful context for security teams – and then connecting that context to individual actions and projects – takes time and resources to produce results. The process is often slow and resource-intensivefurther delaying detection. Less than 20% of breaches are stopped in a timely fashion (e.g. in a matter of hours), according to VerizonWorse than that, knowing about a threat before you encounter it (e.g. a Campaign) and then being breached while you’re still working on proactively tuning your countermeasures against that threat would be disastrousA lack of timely, actionable context from TI is therefore a main contributor to NOT being proactively prepared for an attackIs there any way to produce actionable context, appropriate for your organization, in a timely and resource-efficient manner? Is there any way to expand that context to threats NOT in your environment but are headed your way?  

Threat Intelligence Context: Leverage EDR or not? 

As companies continue to deploy endpoint detection and response (EDR) on users’ machines, security teams are recognizing that the technology can detect anomalous behavior on the endpoint. But determining the degree to which those activities constitute a real threat that matters to you requires more context. Without the context to interpret whether an activity on the system is malicious or benign, companies are limited in their ability to do Threat Hunting[Sidebar] Define Threat Hunting: Threat hunting is the practice of proactively searching for cyber threats that are hidden, undetected, in an organization’s environment. 

Without context sensitive threat intelligence integrated with EDR, SOC teams are reduced to endlessly searching for endpoint events for known IOCs associated with adversaries and then manually doing cross-correlation to external TI. They have no way to automatically cross-correlate these events with known adversarial activities or known adversarial TTPs (e.g. like knowing the C&C IP address), and they end up having a very low signal-to-noise (SN) ratio where they waste lots of time investigating things that turn out to be a nothing- because they miss all the TI correlationsHaving a way to incorporate TI in a contextual manner would really improve the signal-to-noise ratio and make the SOC team much more effective 

That’s where effective TI integration comes into play and separates effective TI programs from ineffective TI programs. With properly integrated TI, you should have easy access into things like crowdsourced attack data that identifies Tactics, Techniques and Procedures (TTPs.) Once new TTPs have been identified by the Cyber Intelligence Community, this gives threat hunters an easy, high-fidelity way to look for specific attack behaviors in the organization’s environment, knowing what attacks those TTPs are related toWith this kind of TI integration, the Security Operations Center (SOC) can more quickly identify threats and be able to dramatically improve the signal-to-noise ratio for accurately prioritized investigations. However, I would argue that this is just table stakes. What and how can we take TI integration to the next level?  

A truly superior TI Integration would additionally provide prioritization of known threats based on things like whether the threat is targeting your industry sector and geography and most-importantly, predict  the risk of your environment getting impacted by the threat. This actionable TI would offer countermeasures and prescribe what you need to do if the countermeasures are predicted to be ineffective. With this next level of TI integration, the Security Operations Center (SOC) can actually move to being more proactive, by automating the analysis of threats that haven’t even been encountered by the organization. The organization is now prepared for attacks that EDR hasn’t even seen yet!  

Reality check here, how many organizations have this level of context and integration on threats? Not many.  

The ones I am aware of today, are the current McAfee customers who participated in our Joint Development Program for MVISION Insights this past quarter.  

McAfee has created its MVISION Insights service to provide a superiorintegrated TI so that security teams can prioritize and predict threats by cross-correlating known campaigns using industry and geographical threat activity with one’s own  security posture derived from their security telemetry, and prescribe the mosteffective way of dealing with the threat. This kind of solution empowers the SOC to move beyond manual TI cross-correlation and move to much more easily prioritizing threats that matter and moving from being reactive to being a lot more proactive.  

MVISION Insights empowers McAfee MVISION EDR for the SOC analyst on many fronts by offering more actionable context to the SOC to be more proactive 

This kind of TI integration can reduce the unnecessary investigations that a SOC does and can also improve the speed and accuracy of the investigations that have resources assignedBy having the context of a threat (e.g. by having organized, curated TTPs for Campaigns, knowing the attack operation and objective, list of IOCs, etc.) the SOC analyst can leverage this context on a current investigation and really reduce the time and effort to complete the investigation. Additional context like this can both eliminate unnecessary investigations and accelerate the investigation to decisive resolution. 

TI Context is King But… 

We have seen that as EDR capabilities become adopted more widely, it is becoming increasingly clear that knowing what is happening on the endpoint and ‘looking for clues’ is not enough. Without meaningful and automated context from a properly integrated TI capability, companies are slower to identify malicious events, may not prioritize attack investigations for threats headed their way, and could take the wrong steps to remediate threatsThe problem is that time is critical: An attacker can use a couple of days to do really bad things in your network. Having effective automated signal-to-noise improvement through a properly integrated TI program can help you quickly detect and hunt down attackers and be proactive against threats headed your way but are not in your environment. 

Context is not just a brief writeup from a TIP or External Threat Intelligence FeedTypically, a human must read and interpret and analyze that feed, often leading to a significant delay in incorporating the information into the SOC response. In most cases, TI products do not offer enough remediation guidance, they just provide the threat profile.   

Properly integrated TI project can solve these problems and a superior TI integration can move the SOC to being proactiveMcAfee’s MVISION Insights delivers actionable intelligence and context in an automated way that can augment and speed investigations and make the SOC proactive with respect to threats that haven’t even been detected in the organization. By freeing up analysts from manual analysis of intelligence feeds, companies can catch more attacks more quickly and be proactive against threats targeting them. 

Moreover, the insight does not come from a few instances or open-source feeds, but from the entire McAfee customer base across the globe from over 1B sensors 

Many companies are delivering machine learning and artificial intelligence applications to security orchestration, automation and response. Very few possess the data and context from a customer base as large as ours.

Having right TI context from a well-respected source with statistical reach and a threat analysis that is actionable gives organizations confidence to address a sophisticated attacker before their attack, elevates this TI context to new heights while shifting cyber security to be more proactive.    

For more on McAfee Insights, check out our webinar.  

On-Demand Webinar

Get Ahead of the Adversary with Proactive Endpoint Security

On-demand

Watch Now


 

About the Author

Prabhat Singh

Prabhat is the Vice President of Engineering and leads the Data Insights and Engineering group at McAfee. He is responsible for McAfee’s global cloud based protection and security analytics infrastructure engineering and the SIEM product. A cybersecurity industry veteran, Prabhat has led McAfee through various technology pivots, ranging from design and engineering of the Global ...

Read more posts from Prabhat Singh

Categories: Endpoint Security

Subscribe to McAfee Securing Tomorrow Blogs