The summit revolved heavily around “strength in sharing.” This topic led to several heated debates focused on the deluge of both public and private threat intelligence feeds and which, if any, should be shared as the act of sharing could open the door for further exposure.
This focus on threat intelligence bled into the vendor exposition hall, where 20% of the booths were leading with messages around threat intelligence, making it the hottest buzzword at the summit.
However, in almost all of my one-on-one conversations and demonstrations with CISOs, SOC Leaders, and analysts, it was common to hear “Whew, I thought you were trying to sell us more threat intelligence” and “the last thing we need is more security data.” I noticed a large sense of relief when discussing our approach and methodology around integrating threat intelligence into real-time security operations.
It seems the threat intelligence vendors are missing the mark.
Today, most threat intelligence security personnel are dedicating too much time to aggregating, de-duplicating, prioritizing, and then disseminating an inundation of threat intelligence data from innumerable sources—both paid and open source.
The disseminating phase is part of the ultimate challenge. Threat intelligence experts are left to the whims of other teams. In some cases, they email a list and then wait for it to be uploaded into the SIEM, wait for rules to be written, and wait weeks for any output to result. By the time this is completed, and considering the shelf life of threat intelligence, one is left asking what’s the point?
This highly sophisticated security personnel shouldn’t be spending their time sorting through spreadsheets and waiting, essentially pushing papers around. The goal is to bypass the aggregation process and automatically apply the intelligence to the environment in real-time. Doing so would allow personnel to orchestrate the output and value of their investment while using their expertise to proactively hunt and process intelligence.
This is what so many FS-ISAC Summit attendees have begun to realize. Over and over I heard, “I already have too much threat intelligence data, my struggle is the pressure to use it.” They were excited to see Siemplify in action. I showed them how raw data feeds are piped into the security fabric, modeled into the graph architecture, and automatically correlated with alerts and events in real-time. They saw how the patterns screen allows threat intelligence experts to work alongside response teams and proactively and specifically hunt for traces and instances of threat intelligence and then easily convert those into cases with automated remediation workflows.
Being able to help security teams find the solution to their frustrations is why I enjoy attending events like FS-ISAC. It was terrific to see those I spoke with become excited at the prospect of Siemplify putting their threat intelligence to work, eliminating the manual processes and helping threat intelligence professionals get off the sidelines and into the battle.