Why context is key to threat intelligence

Abdullah Al-Jallal (Territory Manager, RSA Security Limited) came to #BHMEA22 to share a tale of two companies: Company A and Company B.

Company A was a large organisation with sophisticated security operations and support. They were fully equipped, and monitoring every single packet on their network. They had 360 degree visibility.

Company B had almost the same tech stack. But with a difference: it was unified. They also had strong orchestration and automation capabilities, and an incident response retainer.

Both companies got hit by the same phishing attack. So what happened?

The difference lies in intelligence

Company A, despite the mature stack of technology, was hit hard: the attacker was able to get into the network, access intellectual property and infiltrate data, and the breach had a major financial impact.

Company B was able to detect the attack much more quickly. Using security tooling they detected lateral movement and had the intelligence to take the right counter-measures, engage the incident response team, and halt the attack before it had a serious impact.

Company A had:

• Good people
• Excellent tools

Company B had:

• Good people
• Excellent tools

So what was the difference?

“Company B was unified — whereas for Company A, the information was siloed.”

Company B was able to correlate data faster in a central stream, and automation capabilities meant that the process was fast and efficient. Company A had no automation; they had repeatable procedures, but those procedures had to be carried out piece by piece.

“This is the reality for many organisations today,” Al-Jallal said. “They have a bunch of tools – tools mania”; and they assume that having the right tools will give them effective protection. But their security operations teams are searching for the right information in an “ocean of alerts.”

Every week, security teams face an average of 174,00 alerts, and only have time to investigate around 12,000 of them (that’s less than 15%). This means that many alerts are left completely uninvestigated, so breaches can go undiscovered for months.

“Irrespective of our professions, we live in a noisy world. And we need intelligence that allows us to focus on what’s relevant.”

Context is key to useful data

Alerts fatigue isn’t just an issue for cybersecurity teams. All of us are bombarded by alerts from our devices all the time – and the more we see, the more likely we are to switch off.

A global survey by Enterprise Strategy Group (ESG) found that 45% of the alerts received by cybersecurity teams are false positives.
“And the reason behind those false positives is that many of the alerts in our systems lack enough context to judge relevance and irrelevance.”

Alerts fatigue wouldn’t be such a problem if more of the alerts that actually made it in front of human eyes had the necessary context to enable us to make decisions about which alerts need to be dealt with and which can be ignored.

In threat intelligence, context is key – because data without context is not intelligence.