Setting up a first-time threat intelligence capability is no small feat. After proving the value of a tool to business stakeholders, researching and evaluating vendors, and finally adopting a tool, teams would ideally arrive at an output of useful data to dive into, great reporting features, and clear paths to action such as blocking newly uncovered indicators.\nHowever, this is not often the case. Threat intelligence platforms can be noisy with an excess of low-value alerts and practically unusable with complex interfaces and unknowns of where to gather data. All too often teams are overwhelmed by a fire hydrant of alerts and indicators.\nDigital risk protection, over traditional threat intelligence tooling, is renowned for its increased relevance and actionability.\u00a0\nThe approach Digital Shadows has taken to kill the noise and help organisations start building up a more actionable, and less overwhelming, threat intelligence capability is outlined below.\n\n\n\n \n\n\nWHY A FOCUS ON ACTIONABLE THREAT INTELLIGENCE?\nDigital footprints keep on growing and, while most of that growing footprint is benign, some of it has associated risk \u2013 digital risks, if you will. Unfortunately, every year the average organisation is mentioned 15 million times across the surface web, technical sources, on the dark web, and within exposed documents.\n\u00a0Even the most mature security teams in the largest organisations are hard-pressed to correlate and analyse this enormous amount of data in a reasonable timeframe.\nThe average company is mentioned 15 million times a year (Digital Shadows, 2020)\nOur approach is to filter out the noise, automate your response, and redirect analyst time on the most challenging and nuanced issues: deciding when it\u2019s worth taking brand enforcement action, evaluating the credibility of dark web information and other cyber threat analysis for example.\u00a0\nLet\u2019s break that down into threat areas:\u00a0\n\nUse software to do the heavy lifting\nManually analyse the hard bits\nAutomate the repetitive responses\u00a0\n\nSOLUTION 1. LET SOFTWARE DO THE HEAVY LIFTING\nOf the 15 million mentions, this approach can weed out the vast majority. For example, an exposed credential, a vulnerability detected, or an open port are straightforward to detect.\nAlgorithms can then be applied for specific area such as an exposed document. Software can automate research and validation of risk , for example, by analysing its content by risk factors including DLP identifiers, sensitive markings, date of document, and company mentions without requiring an analyst\u2019s time and attention.\nSOLUTION 2. FOCUS HUMANS ON THE TRICKIER PROBLEMS\nData feeds often unleash an unfathomable amount of alerts on security analysts, causing the bulk of their workdays to shift to triaging false positives. Threats such as impersonating domains, phishing webpages, dark web mentions, counterfeit goods may be detected by software but in actuality are mentioning a similarly named company or do not have risk for real business impact.\nA\u00a0Digital Risk Protection\u00a0solution is there to raise only the important alerts, complete with risk scoring and prioritisation, to reduce manual triage time. This, in turn, allows for more time to be spent on remediating real security threats,\nDigital Shadows SearchLight protects against external threats, continually identifying where your assets are exposed, providing sufficient context to understand the risk, and options for remediation. Of the 13,000 potential alerts detected by SearchLight, our analysts assess for risk and business impact, removing approximately 91% of them before they are raised to teams.\nSOLUTION 3. LEVERAGE AUTOMATION TO EASE THE BURDEN\nExperiencing the same type of alert again and again can feel like insanity\u2014 but thankfully, a fair amount of alert noise can be killed with automation.\nFor example, exposed credential alerts. Some clients choose to auto-validate their exposed credential within SearchLight against a standardised company format or an identity and access provider such as\u00a0Azure Active Directory\u00a0or Okta, saving hundreds of hours on investigating credentials per month (read more about our credential validation in our\u00a0Exposed Credential Monitoring Solutions Guide).\nIn another scenario, clients automated responses within\u00a0Splunk Phantom for \u201cUnauthorised Commit to Public Code Repository\u201d, successfully reducing remediation time from 3 weeks to just four hours.\u00a0\nWHAT DOES SUCCESS LOOK LIKE?\nOf the 15 million mentions, the average organisation only gets the following alerts from SearchLight in a year, these can be broken categorised neatly into:\n\n10 Phishing Webpages\n29 Exposed Access Key Alerts\n29 Impersonating Mobile Apps\n55 Exploitable Vulnerabilities\n57 Impersonating Social Media Profiles\n84 Exposed Document Alerts\n178 Certificate Issues\n835 Impersonating Domains\n\nFull alert details include risk scoring and prioritisation of these risks online with rich context and automated actions to enable teams to respond effectively. In a world with a high degree of accuracy with alerts and the greatest breadth of coverage, analyst time can be spent on the critical and complex actions such as managed takedowns, language translation, and cyber threat analysis.\u00a0\nTo explore our platform for yourself,\u00a0register to test drive SearchLight, and gain access to our cyber threat intelligence library of hundreds of threat actor profiles and MITRE techniques and mitigations. You can additionally get a customised consultation your digital risk by requesting a demo at www.digitalshadows.com.