Are you leveraging threat intelligence for incident response?

As we’ve mentioned previously on this blog, the information security industry has created a wealth of excellent detection solutions. As a result of these tools hitting the market, organizations are now equipped with the ability to focus on threat intelligence, or the knowledge of existing or potential attacks to an environment.

Although threat intelligence is certainly crucial for an organization, one of the pressing issues in security operations management today is that too often it is not integrated with incident response. In other words, alerts to possible threats identified using threat intelligence fly into the SOC, but there is no way to quickly leverage that same threat intelligence to drill further down into the alert and identify additional information on the context of the alert.

To get the most value out of the information they are already gathering with detection tools, security teams need a solution that digests threat intelligence-enabled information—like a host name or IP address, for example—and queries an organization’s repositories of threat intel data for answers to questions like:

  • What is this attack associated with?
  • Who might be perpetrating the attack?
  • Are they conducting any other malicious operations?
  • What is the next step I should take based on processes that a team member used—and were captured with a tool or platform—to mitigate a similar attack in the past?

Getting the answers to those questions—particularly the final one—allows information security workers to respond comprehensively to threats based on a broader situational awareness.

A simple way to think about leveraging threat intelligence for incident response management is through the lens of big data. Organizations in every sector are collecting mountains of information and almost all are looking for the most efficient way to set aside noise and focus on the data that can actually help them improve processes. Security operations management is no different; the faster you can glean what information is most relevant, the earlier in the kill chain you can respond to a threat.

*** This is a Security Bloggers Network syndicated blog from Swimlane (en-US) authored by Cody Cornell. Read the original post at:

Avatar photo

Cody Cornell

Cody is responsible for the strategic direction of Swimlane and the development of our security orchestration, automation, and response (SOAR) platform. At Swimlane we advocate for the open exchange of security information and deep technology integration, that maximizes the value customers receive from their investments in security operations technology and people. Collaborating with industry-leading technology vendors, we work to identify opportunities to streamline and automate security activities saving customer operational costs and reducing risk.

cody-cornell has 132 posts and counting.See all posts by cody-cornell