Cyberthreat intelligence is currently a hot topic in the information security community. Today's business models are forcing organizations to move into the cyberspace, and because of this they phase new threats. Organizations need to address these new threats in order to protect their systems from adversaries. One method for doing so is to develop a threat intelligence program, in which the organization actively gathers intelligence about current and emerging cyberthreats.
Indicators of compromise can be used in organization's security infrastructure to look for and to prevent threats in near real-time. Indicators can be obtained from public intelligence feeds, and they can be shared in threat information sharing communities formed by organizations facing similar threats. Regardless of the source of threat intelligence, the intelligence should be evaluated by skilled security analysts to verify that the indicators of compromise suit the target environment. By sharing threat information organizations can benefit from security incidents seen by other organizations, and the participants can leverage the actionable intelligence to adjust their defenses before similar threats realize within their own network.
Organizations can utilize purpose-built software to manage their threat intelligence. This supports the organization in developing its threat intelligence program. Threat information management platforms aid organizations in managing the quality and richness of threat intelligence and these platforms often come with information sharing capabilities built into the software, enabling organizations to share threat intelligence with each other.
Organizations are able to distribute actionable intelligence into their security infrastructure more easily if they use a threat information management platform as the centralized point for managing the organization's threat intelligence. An example of an integration point is the organization's security information and event management (SIEM) system, which is often utilized by a security operations center (SOC) to perform analytics on the organization's log data. When the logs collected by a SIEM system are enriched with actionable intelligence security analysts are likely to see more informed alerts and less false positives.
This thesis defines an integration between a threat information management platform and a SIEM.We measure and evaluate how much the integration reduces SOC's burden of manually importing threat intelligence into their monitoring infrastructure. Two questionnaires with SOC analysts were carried out for this purpose. We also evaluate how much integration fastens the deployment of actionable intelligence for detecting emerging threats. The evaluation is based on security incident ticket data obtained from a production SOC environment.
