Improving Threat Detection Through Integration

So many cybersecurity tools, so little time. The amount and variety of the data generated by these tools can be overwhelming. So how do corporate security teams sort through it all to detect and prioritize the threats that matter most?

The obvious answer is to integrate all that data, so all the trees can be viewed as a single forest.

The goal should be to achieve a single, big-picture view that can be analyzed in real time, allowing security personnel to arrive at actionable insights without getting lost in the weeds.

Distributed Threat Intelligence Disrupts the Big Picture

No single cybersecurity tool can do everything, and comprehensive threat intelligence requires a diverse set of security tools to keep up with the ever-changing threat landscape. Yet a 2020 study by the Ponemon Institute found that making use of more tools placed an organization at a disadvantage, and that companies that used fewer threat detection tools were better able to detect and respond to an attack.[1] Less, however, did not always equate to more. The report also found that pooling data from discrete tools can help reduce reporting complexity, and 63% of the high-performing organizations surveyed said that sharing data among tools helped improve their ability to respond to threats.

In other words, widespread, piecemeal data presents problems when it isn’t integrated properly, and even the best threat intelligence tools can be a liability if they’re treated as alert-generating islands unto themselves.

Too Many Alerts Can Prove to be Costly

An increasing volume of alerts is a burdensome reality for many security teams. It’s not uncommon for some organizations to receive more than 100 alerts in a given day — or even ten times that many if they work at a large enterprise.[2] And like the boy who cried wolf, with so many attack notifications they become easy to ignore.

This state of affairs can be very costly. Another study by Ponemon, this one from 2015, found that companies lose an average of $1.27 million a year responding to inaccurate or erroneous alerts.[3] This is in part due to all the time wasted by the cybersecurity professionals who are tasked with parsing through all the noise. In the absence of an integrated solution, it’s like asking them to piece together an oversized jigsaw puzzle without providing a big picture for them to reference. Ultimately, they might be able to do it — but the outcome is less certain, and it will surely take them much longer to accomplish the job.

Even with all the state of the threat solutions at their disposal, when the data is channeled through individual veins, as opposed to a central artery, security teams have trouble keeping their finger on the pulse. Absent a centralized hub, integrated dashboard or similar reporting mechanism, team members have no choice but to bounce from one threat intelligence service to the next. This keeps them stuck in the weeds, unable to discern an attack pattern or how one intrusion might be related to the next. Responding to threats as they occur, they can only react — unable to adopt a more proactive approach that anticipates where the next attack is likely to come from.

Better Threat Detection Relies on Data Integration

With the average time-to-detection of a cyber intrusion being an astounding 56 days,[4] there is small doubt that better threat detection intelligence is needed. Enter SIEMs, SOARs and APIs, which collectively make it feasible to integrate multiple threat intelligence solutions.

Security Information and Event Management, or SIEM, provides a framework for assimilating the inputs from discrete security tools into a single feed. By aggregating and correlating this data, it can spot events that can’t be identified by individual monitoring of individual tools.

Security Orchestration, Automation and Response, or SOAR, boosts a SIEM framework’s capabilities by automating the threat analysis and incident response. But SOAR’s ability to programmatically respond relies on extensive data integration. Hence the need for APIs —especially open APIs — that can accelerate the melding of different cybersecurity tools and their reporting systems.

Using software technologies like SIEMs, SOARs and open APIs, security professionals can tap into the collective power of the best threat intelligence tools available, enabling them to lift their gaze from the trees to the forest.

The Bottom Line

Given the ever-changing cyber threat landscape, the profusion of threat-detection tools is a necessary evil. Used standalone, these tools can become a liability, since they force cybersecurity teams to flit from one reporting system to the next, often missing the big picture in the process. But by integrating them with approaches like SIEM, SOAR and open APIs, security professionals can connect the dots, spotting threat patterns that would otherwise elude detection.

To learn more about optimizing your security stack, join us for Mimecast SecOps Virtual, a complimentary half-day event of keynotes and breakout sessions taking place January 26 and 27.

[1] The 2020 Cyber Resilient Organization Study, The Ponemon Institute

[2] “56% of Large Companies Handle 1,000+ Security Alerts Each Day,” DarkReading

[3] The Cost of Malware Containment, The Ponemon Institute

[4] “FireEye Mandiant M-Trends 2020 Report Reveals Cyber Criminals Are Increasingly Turning to Ransomware as a Secondary Source of Income,” FireEye