Military general and philosopher Sun Tzu once led the largest armies in the world and authored The Art of War. It is still considered a masterpiece of tactical warfare and very relevant as we wage our battles against evolving cyberattacks. While threat intelligence is a relatively new discipline in our cyber defence processes, it’s been around for over 2,500 years.
Threat intelligence was central to Sun Tzu’s winning strategies. It is also foundational to our success today as our security approaches continue to evolve, most recently with Extended Detection and Response (XDR) solutions.
Most cybersecurity professionals are familiar with this widely referenced quote by Sun Tzu: “If you know others and know yourself, you will not be beaten in one hundred battles. If you do not know others but know yourself, you will win one and lose one. If you do not know others and do not know yourself, you will be beaten in every single battle.”
Begin with information gathering
According to Sun Tzu, the first step in awareness is information gathering. It includes information about yourself – your assets, priorities, strengths and vulnerabilities. You must also know your enemy – who and where they are, their size, the types of weapons they use, their motivation, and their tactics and techniques. This information drives basic decisions – is this a threat or not, should we fight or flee, and what actions should we take?
Then comes the most important step – calculations. As Sun Tzu said, “The general who wins a battle makes many calculations before and during the battle. The general who loses makes hardly any calculations. This is why many calculations lead to victory and few calculations lead to defeat.”
We should not act on the basis of raw data. Instead, we need information gained by examining the data for relevance, priority and other situational information. On the battlefield, this includes terrain and weather conditions. The goal is to apply context to data to have the right information at the right place and time.
Parallels with The Art of War and the XDR process
Relating this process to XDR, we see close parallels. Gathering information from different disparate internal and external sources and domains is the “extended” part. The distribution or dissemination of information across your security infrastructure is the “detection and response” part. Finally, calculations involve converting raw data into relevant intelligence. This is the basis for responding efficiently and effectively to a given situation.
To accomplish this, what’s needed is a data-driven security operations platform. One that allows you to extend capacity to consume and manage data, internal or external, structured or unstructured. A lot of valuable data you get from third parties is trapped within their technologies.
The platform must be based on an open architecture, where integrations are broad and deep to help you unlock that valuable resource. Having aggregated and normalised all that data, the platform must be able to correlate the data and apply context to prioritise and filter out noise.
Ultimately, you want to operationalise the data and take the right action. So, the platform must translate that curated, prioritised data for export, allowing for data flow across the infrastructure to quickly activate defence technologies and teams. Closing the loop, the platform also captures and stores data from the response for learning and improvement. And remember, all of this happens at speed and scale. It means automation is key, allowing you to act efficiently for a comprehensive response.
Threat intelligence best practices to enable XDR
For organisations considering XDR or that have already embraced XDR, the following best practices will help you leverage threat intelligence to derive more value.
Use data from all sources: Integration is a core competency to enable XDR. Organisations are not starting with a clean slate but have dozens of technologies, feeds and third-party data sources across departments and teams. Allow for strong integration and interoperability with all systems and data sources, internal and external. It enables you to leverage threat data. Display a wealth of contextualised data via a common work surface. It enables teams to apply it to understand the threats they face to reach the goal of extended detection and response across the infrastructure and all attack vectors.
Use data to focus efforts: Prioritisation should be automated but under the control of the security team. Filter out noise (false positives and information that is irrelevant) using parameters you set. It ensures prioritisation is based on risk to your organisation. Analysts can focus on threats that matter most instead of spending time chasing ghosts. Feedback and results should be continuously captured, stored, and used to improve security operations.
Use data to drive response: The most effective way to empower teams is to apply automation to repetitive, low-risk, time-consuming tasks. Also, recognise that the need for human analysis remains. Irregular, high-impact, time-sensitive investigations are best led by a human analyst with automation simply augmenting the work. A balance between human and machine ensures that teams always have the best tool for the job. A data-driven approach to both improves the speed and thoroughness of the work.
XDR needs threat intelligence
XDR is gaining a lot of traction. But for it to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach. Threat intelligence was critical to success on the battlefield then, and it is critical to success on the cyber battlefield today.
ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.