Blog

From Threat Intelligence to Threat Detection: Three Secureworks Taegis Differentiators

TI Fueled Investigations_4-3-xl

Threat intelligence is a vital cybersecurity discipline that enables people to understand the current behaviors of malicious groups or actors who wish to do them harm.

But human understanding of current cyberthreats alone is insufficient for effective cyber defense—because to defend their enterprise environments at scale, SecOps teams must also translate threat intelligence into effective threat detection. It is, after all, effective detection that empowers SecOps to actually defend their environments from threat actors.

Secureworks translates threat intelligence into effective detection at multiple levels – including Tactic Graphs™ for chains of activity; endpoint, network and cloud signatures that look for instances of malicious activity; and file signatures that look for specific traits of malware. We also use Indicators of Compromise (IoCs) – domain names, IP addresses and file hashes – which can be noisy and ineffective if used bluntly, but an effective part of a cyber defense strategy when actively managed.

So how does Secureworks® translate threat intelligence into effective IoCs within our Taegis™ XDR platform? And just as important, how does our intelligence-to-detection process make Taegis a better solution for cyber defense?

To answer that question, let’s look at the three factors that determine whether IoCs can be successfully translated into effective detection of that same threat.

Detection factor #1: Timeliness

Threat Intelligence is about expanding visibility and understanding of cyber threats, but it’s not enough to just recognize the threat. The observation must rapidly convert into a detection to mitigate the threat it a timely manner.

The IoCs associated with a threat—hashes, IP addresses, and domain names— can often have an extremely short shelf life. Many are only useful for about a week, if that, and some last less than 48 hours. So, the effectiveness of an IOC based detection is largely contingent on having timely intelligence.

To be effective at detections, you need to go from observation of an indicator, through analysis and validation, and into a detection mechanism such as an XDR platform as quickly as possible.

Secureworks’ advantages when it comes to the timeliness with which we translate threat intelligence into active Taegis detections are significant. First and foremost, among these advantages is the fact that we ourselves are a world-class originator of threat research. Doing our own research and making our own direct observations of threat activity means that we already start several steps ahead of any detection provider that depends on third parties for their intel. Our incident response team are seeing first-hand some of the most interesting incidents, and we make sure the intelligence from every engagement is used to protect every Taegis customer.

The methods we use in our threat research also put us ahead of the curve. Our bot emulation capability, for example, allows us to interact directly with threat actors’ infrastructure—so we can see them deploy new malware or command and control servers in real time. That’s why we identified and monitored the Qakbot takedown in near real-time, before anybody else.

The other side of the timeliness equation is how you age out indicators. Once an indicator is no longer being used by threat actors, it’s no longer useful for detections – and as we mentioned above, this might be a matter of hours or days after the first observation. The CTU highly curates our indicator list, aging indicators out of our watchlists, ensuring that any alerts raised are based on fresh, relevant indicators.

Combined with other measures we’ve put in place to compress our intel-to-detection pipeline, we believe the timeliness of Taegis detectors is second to none.

Detection factor #2: Fidelity

Attacks generate lots of telemetry. But very little of that telemetry is useful for detection, because so many of those exact same events and behaviors—such as the callouts to Google that malicious code will execute to verify that it is actively online—can be normal activity, too. All of our indicators are run through our Triage Engine before being added to detection watchlists. The first step in “indicator triage” is therefore to cull this telemetry noise.

We run all of our indicators through a Triage Engine, because it’s important to select only the most reliable attack indicators for detections.

The goal here is fidelity. The detectors created from the raw threat intel data must be accurate in terms of both 1) consistently detecting the presence of a given threat with true positives and 2) generating a minimal volume of false positives.

While every detection vendor may tout their ability to deliver true positives, no one should underestimate the adverse impact of false positives on an organization’s security posture. Alert fatigue undermines SecOps team performance. It also leads to staff burnout and turnover—which no one can afford given the global shortage of skilled cybersecurity professionals.

Secureworks rigorously focuses on minimizing the false positives associated with low fidelity IOCs. The Triage Engine checks each indicator against a number of sources, including Taegis’ 45 Petabytes of customer telemetry, as the number of customers and volume of traffic to an indicator is a good signpost for how effective or noisy an indicator will be at detecting malicious activity.

Detection factor #3: Context

No single piece of telemetry can serve as a reliable indicator of a threat – when you get an alert, you need to know why the indicator is bad and what the alert might mean. So, the process of translating indicators into detectors isn’t just about curating them individually. It’s also about curating them collectively, in relation to each other.

Here the role of the Secureworks® Counter Threat Unit™ (CTU™) is especially notable. The CTU has engineered a threat graph that maps the complex relationships between hashes, domain names, files, threat groups, threat intelligence publications, and any other data point that might provide context. Even indicators that are low fidelity in themselves can be useful for this contextual mapping.

The CTU Threat Graph has more than 6 million interconnected nodes, which have been filtered down from over 60 billion threat observations —and it is regularly updated as new data points come into the CTU.

Any relationships that the CTU threat graph reveals are used to drive the creation of indicators in Taegis. This ability to discover complex relationships between data points, at scale, optimizes the ability of Taegis to both 1) correlate disparate telemetry to accurately detect even the most subtle signs of an active threat and 2) more effectively minimize false positives by not triggering alerts based on isolated data points without sufficient correlation.

The Bottom Line

If you’re looking for an XDR solution, or an MDR solutions that leverages a robust XDR at its core, Taegis is your obvious choice to reliably detect active threats without generating excessive false positives. Its automated detection capabilities are driven with optimal timeliness, fidelity, and context from superior threat intelligence. Reach out a to a Secureworks expert or request a demo to learn more.

To hear more about Secureworks proprietary threat intelligence check out on demand videos from this past global Threat Intelligence Summit.


ABOUT THE AUTHOR
SECUREWORKS

Secureworks (NASDAQ: SCWX) is a global cybersecurity leader that secures human progress with Secureworks® Taegis™, a SaaS-based, open XDR platform built on 20+ years of real-world detection data, security operations expertise, and threat intelligence and research. Taegis is embedded in the security operations of thousands of organizations around the world who use its advanced, AI-driven capabilities to detect advanced threats, streamline and collaborate on investigations, and automate the right actions.
Back to all Blogs

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Try Taegis Today

Request a demo to see how Taegis can reduce your risk, optimize your existing security investments, and fill your talent gaps.