This blog was written by Bart Lenaerts-Bergman.
Driven by the misfortune of many, Cyber Threat Intelligence exchange and consumption is becoming more proliferated, accessible and standardized. Together with legacy security technologies like Firewall, IPS and Vulnerability Assessment tools, SIEMs have used threat intelligence initially for the most common use-case of detection and – unique for SIEM – as context during attacks. However, threat intelligence can offer more to security teams, for instance, to prioritize or prepare response to recently reported exposures and exploits. SIEM is also one of the few technologies to unlock the full power of threat intelligence via some new use cases.
A new emerging use case for SIEM and threat intelligence is around managing and presenting cyber threat intelligence data itself. Because SIEM has been designed from the ground-up to interpret and manage large sets of data; harvesting, organizing and cycling threat data is a perfect fit for SIEM. The recently released McAfee Enterprise Security Manager (ESM) version 9.5 has taken the cyber threat management to a new level by collecting and translating suspicious or confirmed threat information into actionable intelligence for security operations teams. McAfee ESM 9.5 can import a wealth of security threat data including STIX/TAXII feeds; third party URL’s and Indicators of Compromise (IOC’s) reported via McAfee Advanced Threat Defense providing security operations teams with directly readable and usable intelligence for security analytics.
A second important use case for SIEM and threat intelligence is around historical analysis of recently reported threats. Where many SIEMs correlate threat intelligence only for new event data after the threat has been reported – McAfee ESM 9.5 can automate historical analysis via the new Backtrace feature and discover if an organization has already been impacted by recently reported cyber threats.
Benefits for the above use cases are multi-fold, first of all it will automated digestion of cyber threat intelligence help reduce manual operational efforts. The real advantage for security teams is deeper detection, real-time monitoring and the progress of a new reported threat through the IT environment. McAfee ESM 9.5 will even help security teams vet the accuracy of the configured threat feed by reporting from a single view, the indicator name, date it was received and hit rate. Also, important to highlight is that McAfee ESM also offers drill downs from the cyber threat dashboard into the IOC details, individual source events or flows records.
With these use cases, SIEM remains not only a very popular tool to aggregate, analyze and present threat intelligence, it is also one of the few tools that can be used for detection and response which aligns very well with the initial purpose of integrating threat intelligence: better visibility, rapid detection and responses based on known facts.