A Modern SOC Should Include a Threat Intelligence - Photo by Ryland Dean on UnsplashCyber threat intelligence is now being used by organisations of all sizes across industries and geographies. In fact, 85% of respondents to the 2021 SANS Cyber Threat Intelligence (CTI) Survey report they are producing or consuming intelligence, with the remaining 15% planning to. Notably, the number of respondents without plans to consume or produce intelligence was 0%, down from 5.5% in 2020. But there is still much work to be done.

A case in point, months after the SolarWinds Orion security breach, 63% of organisations surveyed remain highly concerned. As many as 60% of those directly impacted are still trying to determine if they were breached. A further 16% of organisations are still wondering if they were even impacted. Few organisations have matured their security operations (SecOps) to the point where they have integrated a complete CTI practice.

At ThreatQuotient, our mission is to advise and support our customers as they plan to enhance their SecOps by integrating a CTI practice at the core. We have worked on these projects for several years. We’ve seen that many of our customers rely on Managed Security Service Providers (MSSPs) or Managed Detection and Response (MDR) for the detection component of their SecOps, setting up processes and serving as tier-1 and tier-2 SOC analysts.

The pandemic has changed the use of threat intelligence

SOC contracts are generally signed for a minimum three-year period. During that period, the SOC service definitions and associated SLAs remain fairly static. These contracts may specify the need for continuous enhancement. However, it can be extremely difficult to make significant changes and update SLAs once the contract is in place.

This limitation has become even more problematic given the year of dramatic disruption every customer has experienced. Almost 20% of respondents told SANS that the pandemic has changed how they use threat intelligence. This is due to a rise in phishing and ransomware attacks and work-from-home threats. Moreover, the recent rise of worldwide supply chain attacks has been a real game-changer for defenders.

Strategic shifts to mature your SecOps and evolve your use of threat intelligence by implementing a CTI practice are difficult to achieve if you’re outside a contract renewal window. It’s critical, therefore, for customers to think ahead about their SecOps maturity needs. They must work with their MSSP/MDR at contract renewal, or during the RFP process, to synchronise SecOps process evolutions. It’s the only way to ensure you’ll be able to onboard a CTI platform when you’re ready and gain the benefit of threat intelligence sharing, orchestration and collaboration.

Based on our experience helping customers navigate this situation, here are some of the keys to global project success when leveraging a SOC MSSP/MDR contract process.

Don’t let the window close: The time is now to move from being reactive to anticipatory

Disruptions are a fact of life, and threat actors will continue to take advantage of them. A CTI platform allows you to take a proactive and even anticipatory approach to security operations. It enables you to profile not only the attack but attackers who rapidly change their tools, techniques and procedures (TTPs) to evade defensive technologies.

Intelligence-based workflows allow security operators to use these insights into adversaries. They can track how they are evolving to enrich internal surveillance. It allows them to focus on high priority and relevant threats and minimise alerts that are just noise or are false positives. Security teams can also strengthen defenses. Relevant threat intelligence data can be automatically sent directly to the sensor grid, SIEM, logs, and ticketing systems. This proactively protects the organisation from future threats.

In such a set-up, the customer SecOps teams can create detection policies in real-time and actively collaborate with the MSSP/MDR to perform crisis management when a new, massive threat appears.

CTI serves and is fed by all four functions of your SecOps

Security operations typically consist of four main functions: the defence team, risk management, the SOC for detection, and the incident response team. With a CTI platform, you can leverage threat intelligence across these functions to better understand your adversaries and their tactics, techniques and procedures (TTPs). It allows you to strengthen defenses, mitigate risk, and accelerate detection and response in a homogeneous and efficient way.

Tools and teams in each of these four areas gather additional threat data, learnings and observations. These are fed into your CTI platform to create an organisational memory. Intelligence is automatically reevaluated and reprioritised based on this new information. The result is that the CTI practice continues to improve by leveraging trusted and timely information that helps accelerate the right actions and allows real threat data-driven orchestration across all SecOps tools.

A CTI practice requires some modifications to all four functions, including the SOC MSSP/MDR contract

When you introduce a CTI practice into the core of your security operations, every function must adapt to work with a CTI platform. It ensures you benefit from collaboration and communication (SIEM, SOAR, EDR, etc.). Some service providers can accelerate the process because they offer a CTI capability as part of their practice.

For others, more work needs to be done to their processes and SLAs to ensure the successful onboarding of a CTI platform. In either case, modifications are simpler and faster when initiated at contract time. Otherwise, you risk missing out on the full value a CTI practise can bring to your business.

The CTI practice can be activated when you are ready

An MSSP/MDR that already has a CTI practice offering, can provide a CTI platform for your environment. Over time, they can transfer the skills to run the CTI practice to your team. Should you decide to have the service provider continue to run the CTI practice for you, the threat memory is yours. It remains on your site for reuse to continue to improve prevention, blocking and global analytics.

This is the implementation model we have seen the most in the past 12 months. However, it’s early days, and service providers are working together with their customer SecOps teams to optimise the path forward. If the MSSP/MDR doesn’t have a CTI practice offering (unlikely nowadays), look for a CTI platform that leverages a flexible data model. One that also supports open intelligence sharing standards to ensure efficient and effective connectivity and communication. The goal is to be “CTI practice-ready”, even if you aren’t ready to activate the program right away.

Cyberattacks have escalated over the last few months. It has shown us there’s no time to waste in maturing your SecOps program. A reactive security posture, of detect and respond only, is not a viable option anymore.

You need to make sure you’re leveraging threat intelligence throughout your security operations. It helps you understand your adversaries, strengthen defenses, and accelerate detection and response. It turns your SecOps into an anticipatory program. When you work with your SOC MSSP/MDR at contract time, you remain in control of the timeline. You aren’t forced to wait another three years for the next contract negotiation cycle to gain the full value of a CTI practice and platform.


ThreatQThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.

LEAVE A REPLY

Please enter your comment!
Please enter your name here