Threat Intelligence Can Be Noisy: SearchLight Helps

Setting up a first-time threat intelligence capability is no small feat. After proving the value of a tool to business stakeholders, researching and evaluating vendors, and finally adopting a tool, teams would ideally arrive at an output of useful data to dive into, great reporting features, and clear paths to action such as blocking newly uncovered indicators.

However, this is not often the case. Threat intelligence platforms can be noisy with an excess of low-value alerts and practically unusable with complex interfaces and unknowns of where to gather data. All too often teams are overwhelmed by a fire hydrant of alerts and indicators.

Digital risk protection, over traditional threat intelligence tooling, is renowned for its increased relevance and actionability. 

The approach Digital Shadows has taken to kill the noise and help organisations start building up a more actionable, and less overwhelming, threat intelligence capability is outlined below.

WHY A FOCUS ON ACTIONABLE THREAT INTELLIGENCE?

Digital footprints keep on growing and, while most of that growing footprint is benign, some of it has associated risk – digital risks, if you will. Unfortunately, every year the average organisation is mentioned 15 million times across the surface web, technical sources, on the dark web, and within exposed documents.

 Even the most mature security teams in the largest organisations are hard-pressed to correlate and analyse this enormous amount of data in a reasonable timeframe.

The average company is mentioned 15 million times a year (Digital Shadows, 2020)

Our approach is to filter out the noise, automate your response, and redirect analyst time on the most challenging and nuanced issues: deciding when it’s worth taking brand enforcement action, evaluating the credibility of dark web information and other cyber threat analysis for example. 

Let’s break that down into threat areas: 

• Use software to do the heavy lifting
• Manually analyse the hard bits
• Automate the repetitive responses 

SOLUTION 1. LET SOFTWARE DO THE HEAVY LIFTING

Of the 15 million mentions, this approach can weed out the vast majority. For example, an exposed credential, a vulnerability detected, or an open port are straightforward to detect.

Algorithms can then be applied for specific area such as an exposed document. Software can automate research and validation of risk , for example, by analysing its content by risk factors including DLP identifiers, sensitive markings, date of document, and company mentions without requiring an analyst’s time and attention.

SOLUTION 2. FOCUS HUMANS ON THE TRICKIER PROBLEMS

Data feeds often unleash an unfathomable amount of alerts on security analysts, causing the bulk of their workdays to shift to triaging false positives. Threats such as impersonating domains, phishing webpages, dark web mentions, counterfeit goods may be detected by software but in actuality are mentioning a similarly named company or do not have risk for real business impact.

A Digital Risk Protection solution is there to raise only the important alerts, complete with risk scoring and prioritisation, to reduce manual triage time. This, in turn, allows for more time to be spent on remediating real security threats,

Digital Shadows SearchLight protects against external threats, continually identifying where your assets are exposed, providing sufficient context to understand the risk, and options for remediation. Of the 13,000 potential alerts detected by SearchLight, our analysts assess for risk and business impact, removing approximately 91% of them before they are raised to teams.

SOLUTION 3. LEVERAGE AUTOMATION TO EASE THE BURDEN

Experiencing the same type of alert again and again can feel like insanity— but thankfully, a fair amount of alert noise can be killed with automation.

For example, exposed credential alerts. Some clients choose to auto-validate their exposed credential within SearchLight against a standardised company format or an identity and access provider such as Azure Active Directory or Okta, saving hundreds of hours on investigating credentials per month (read more about our credential validation in our Exposed Credential Monitoring Solutions Guide).

In another scenario, clients automated responses within Splunk Phantom for “Unauthorised Commit to Public Code Repository”, successfully reducing remediation time from 3 weeks to just four hours. 

WHAT DOES SUCCESS LOOK LIKE?

Of the 15 million mentions, the average organisation only gets the following alerts from SearchLight in a year, these can be broken categorised neatly into:

• 10 Phishing Webpages
• 29 Exposed Access Key Alerts
• 29 Impersonating Mobile Apps
• 55 Exploitable Vulnerabilities
• 57 Impersonating Social Media Profiles
• 84 Exposed Document Alerts
• 178 Certificate Issues
• 835 Impersonating Domains

Full alert details include risk scoring and prioritisation of these risks online with rich context and automated actions to enable teams to respond effectively. In a world with a high degree of accuracy with alerts and the greatest breadth of coverage, analyst time can be spent on the critical and complex actions such as managed takedowns, language translation, and cyber threat analysis. 

To explore our platform for yourself, register to test drive SearchLight, and gain access to our cyber threat intelligence library of hundreds of threat actor profiles and MITRE techniques and mitigations. You can additionally get a customised consultation your digital risk by requesting a demo at www.digitalshadows.com.