In today’s escalating threat landscape, Security Operations Center (SOC) teams face a constant cat and mouse battle against adversaries as they try to stay one step ahead. This situation isn’t helped by the fragmented tools; multiple data feeds and data siloes they must contend with. Likewise, with so many security vendors out there with different approaches and solutions, how do they know what cybersecurity solutions they should be investing in?

Making any security purchase is always an onerous task as SOC decision-makers analyse what questions to ask and what tools and solutions are the best fit for their environment. However, SOC teams must equip themselves for the cyberthreat landscape they face and many are now establishing their own threat intelligence operations and capabilities.

Sifting through mountains of disparate data

In the process of building out their threat intelligence capability, many SOC teams acquire multiple data feeds – from commercial sources, open source, the industry and from their existing security vendors — each in a different format. They soon realize they lack the manpower and technology to programmatically sift through mountains of disparate global data and actually use it. Without the proper resources, the data they’ve invested in simply becomes more noise, potentially generating a high number of false positives.

Also, many organizations fail to incorporate internal data into their threat intelligence. This is the telemetry, content and data created by each layer in their security architecture, on-premises and in the cloud. This also includes data from modern security tools and technologies. Not only is this data high fidelity, it’s also free.

To use all this threat intelligence data more productively, many organizations are investing in a threat intelligence platform (TIP). Selecting a TIP is important as it serves as the foundation for the entire security operations program, allowing teams to understand and act upon the highest priority threats they face, while enabling them to get more from their existing resources.

Not all technology vendor solutions are created equal

But what are the essential capabilities SOC teams should be looking for in a TIP. It is important to note that not all technology vendor solutions are created equal.

Below, we outline the core questions that SOC teams should be asking vendors in order to make the best decisions about which TIP to implement into their SOC operation.

It is worth noting that SOC teams should view the selection process as a journey, not a simple product purchase, as the vendor they select must have the capacity to become a strategic partner. Factors to take into consideration include platform maturity, service and support, user base and company track record, while also considering specific use cases.

The benefits of a TIP

At this stage, if the business is questioning why the SOC team needs a TIP, there are plenty of benefits that it delivers: It can reduce risk, improve defences and enable the organisation to execute on strategic and tactical enterprise goals while staying on budget.

The organisation can arm their SOCs, incident response teams and threat intelligence analysts with a platform to efficiently structure, organize and utilize threat intelligence across the enterprise. It also helps security analysts to improve situational understanding, accelerate detection and response, maximize existing security investments, and collaborate more effectively as a team.

Incident response teams can automate prioritization of threats and security incidents, accelerate investigations and push intelligence automatically to detection and response tools. Threat intelligence analysts can efficiently structure and organize threat intelligence with context and prioritization to build adversary dossiers, make better decisions and take action.

Asking the right questions

With stakeholders now convinced, there will of course be other business questions to consider alongside technical questions. Below we have outlined some of the key questions SOC teams should be thinking about asking the vendor:

• How does the platform consume structured and unstructured data and how many “out-of-the-box” commercial feeds and/or open-source feeds do you have?
• What about context and transparency? For example, are customer-defined IOC tags/context/attributes shared across the vendors’ other customers?
• What about scoring and prioritization? Can customers customize scoring based on their own organization, team, resources, and capability without those customizations being broadcasted to other customers? Is the vendor scoring transparent?
• What is the vendor’s approach to expiration of intelligence?
• What about correlating internal and external data? If bi-directional data is enabled, does your company have sole ownership rights to my company’s data within the system?
• Do you have bi-directional integration with all the SIEMs, ticketing systems, vulnerability management solutions and SOAR solutions?
• With notifications and alerts can an analyst create an alert list within your dashboard on any object/node in the system?
• Where sharing and collaboration is concerned, can we opt-in and opt-out of sharing data with a vendor or community?
• Does the TIP support data-driven automation natively and through API integration with SOAR platforms?

This is not an exhaustive list. There will also be questions around pricing models, service and support, different use cases and questions specific to each SOC team’s environment. But hopefully this will help to put the SOC team on the right path, armed with key questions to ask and potential hidden risks, to navigate the process successfully and find the right platform to meet their requirements.