As the business grows and getting bigger day by day in volume globally, the complexity of attacks also starts growing with it. Protecting the business is a difficult task. It can be affected by data breaches, destructive malware and ransomeware.
High-quality threat intelligence can offer immediate network protection, provide visibility to known threats and significantly reduce the time required for situational investigation or incident response.
Time to decision is everything. Security analysts, whether performing incident response or general threat research, need automated tools with intelligent rules to help find, organize and filter the most relevant information for their primary task. Within the security operations center (SOC), analysts and incident response engineers use threat intelligence to quickly isolate the signal from the noise, identify real problems and their fixes, and prioritize remediation efforts.
But the main problem analysts face is how do they know that the threat intelligence is relevent to the particular situation? This leads us to relevance scoring.
How Relevance Scoring Supports
Relevance scoring is a technique that correlates the properties of security analysts’ threat intelligence and those of their organization such as industry. By identifying indicators associated with one or more of the organization’s properties, analysts can place more weight on those specific to the organization compared to other indicators, especially when correlating against traffic they are investigating. Wouldn’t it be better if analysts’ automated tool sets understood and could use relevance scoring to provide more relevant insights automatically?
These techniques yield a relevance scoring system that is specific to the user’s organization or industry. Embedding relevance scoring in security tools provides professionals with the right data at the right time . Organizations that share their sightings with other threat sharing organizations and threat intelligence vendors who accept direct or anonymized user sightings containing local properties can enrich their threat intelligence and benefitting other communities.
Quality threat intelligence combined with local relevance scoring can helps in faster incident investigation, determination, prioritization and remediation.
Challenges Of Relevance Scoring
Deciphering which threats are most relevant to an organization is one of the biggest challenges that analysts face daily. Multiple threats rated as ‘HIGH’ covers security operations center (SOC) analysts by filling their investigative queue. Alternatively, analysts too often find that threats that were classified as ‘LOW’ or unrated are more deserving of their time and effort.
As above shown picture, IBM has developed their own X-force Threat Intelligence system which makes the analysts’ work easy by identifying the threats which are most relevant.