When it comes to evaluating threat intelligence and digital risk solutions, collection has been at the fore of the narrative – and rightly so. Extensive coverage, with effective risk detection mechanisms in place, acts as the eyes and ears of an organization – detecting potential organizational risks.
While collection is clearly important, a large part of this narrative, remediation, goes under-recognized and under-leveraged.
3 Challenges to Implementing Threat Intelligence
Gartner recommends that in order for threat intelligence to be leveraged successfully, it should acquire, aggregate, and action.
Figure 1: Gartner, Market Guide for security threat intelligence products
In practice, however, this process may be harder to implement consistently, and this could be down to several factors:
- Too much data: Perhaps the collection mechanism in place is inundating the end user with too much information, which results in the user spending too much time triaging it and not enough time actioning it.
- Lack of confidence: Alternatively, this could be down to the fact that the user “lacks confidence in using that information to make decisions,” indicating that the information lacks context or simply doesn’t provide enough assistance.
- Threat data is unactionable: As a result of the points above, the threat intelligence can not be actioned, because the data lacks relevance, context or even guidance as to what to do with this next.
Consequently, these factors create an imbalance, whereby more time is spent focusing on acquiring and aggregating information – and failing to action.
Consequences of sitting in triage
Alert inaction can, to some extent, create a number of challenges for an organization – and impacts. Here’s how:
Figure 2: Consequences of unmanaged digital risk
The solution: Built-in Remediation options
Here at Digital Shadows, remediation is not an afterthought – but rather remediation is embedded into our customers’ workflows – to reduce the friction often associated with managing digital risks. Here’s how:
When a security practitioner deals with an alert, there can often be confusion around what to do with that incident next, resulting in inaction and/or time wasted triaging it.
Well no more scratching your head, wondering what to do next!
Digital Shadows has designed a set of built-in custom playbooks, which assist with mitigation.
Figure 3: Digital Shadows’ Built-in Playbooks
Step-by-step guidance: Once an alert has been raised by SearchLight, the user can open up a pre-configured playbook, which is mapped to the NIST Computer Security Incident Handling Guide. First, the playbook will ask the user to triage the alert, to confirm and evaluate the risk.
Next, the playbook will provide immediate actions to contain, reduce or manage the risk, then it provides post-incident activity, with the goal to provide longer term actions to manage and prevent recurrences.
Streamline responses: The built-in functionality ensures information security teams do not waste time sitting in triage, wondering what to do with the alert. Rather, information security professionals can efficiently streamline the time required to respond to an alert, more easily.
Consistency: The purpose of these playbooks is to ensure individuals adopt consistent advice.
Of the actions available within alert playbooks, users can launch takedowns with the click of a button.
Digital Shadows has built-in end-to-end management of takedowns that quickly removes infringing content, domains, documents, or mobile applications. Rather than wasting time chasing a takedown request, Digital Shadows performs the takedown on your behalf, with options to track the status directly from the SearchLight portal.
Figure 4: Digital Shadows’ end-to-end takedown management
You can read more about Managed Takedowns in our datasheet here:
3. Leverage Integrations
Remediation efforts should not be siloed to one tool – but rather differing tools should work in tandem to effectively solve security problems. With this in mind, Digital Shadows has a host of technology integrations, across SIEM, SOAR and ticketing, to assist with this.
Figure 5: Digital Shadows’ roster of technology integrations
4. Workflow options
Choose from flagging, whitelisting, closing or commenting in an alert. Such an array of options enables users to manage, track, and operationalize alerts.
Figure 6: Digital Shadows’ workflow options
Front and centre: Don’t let remediation become an afterthought
Whether your threat intelligence function collects data manually or relies on an external provider, either option should embed remediation into the workflow.
If remediation seems daunting, Digital Risk Solutions are an attractive option, in that sense, because they can manage and mitigate risk on your behalf.
If you’re interested in more, join or watch our webinar to see these response options in action!