4.2 CTI Role in SOC Part 2

00:00

and here we are. Welcome back and get ready to continue review into Suck World at their role. Cyber trench intelligence has in it.

00:09

As we stated before context, it's one of the most important parts. When discussing the alert reviews on one of the most important faces where this is needed is going performing the triage, as with find before the trash face is all about assigning a classifications on Earth on Define if it requires further treatment

00:28

or he can be discarded as a false positive.

00:31

Most of the time, this context and correlation will be given by internal system locks, neck or devices and secure it tools to glue them all together.

00:41

This is where the cyber threat intelligence tools are used in order to correlate what internal information is providing on what the cyber threat Intelligence Department has found relevant to these alerts.

00:52

Once the correct relation is given, the actual flow of the possible traitor attack can be determined

00:58

now, one of the many challenges when performing disco relation in order to help the suck unit give their alerts context is where where should information be obtained for?

01:07

For starters, Albert connections are crucial, since they give a right indicator, often external trap. It's a command and control going on.

01:18

Or maybe there's a Trojan expel trading information.

01:22

These questions can be answered by having the right information about album connections, but you may wonder, in an organization there are a lot off global connections. Well, this is where cyber tracked intelligence comes into play.

01:34

Because the cyber tracked Italians unit has the most recent and relevant information about militias a piece domains hash it editor. This will correlate with the connections, and we'll give it a much more reduced list. On. The most important is that these smaller lease will be as relevant. It's possible regard

01:55

regarding likely threats

01:57

so

01:57

disco relations can be done with a lot of other tools that are being monitored, like viral alerts and internal network activity.

02:05

These two can be correlated in the same manner. By using the information collected by the Cyber Threat Intelligence Unit, I'm figuring it to only show activity related to threats seeming known.

02:16

Also, other useful information for the Sucked unit, our decision activity by user and workstation so they kind know if it is related to an existing user or it already is definitely something are going on

02:30

when performing this analysis. One of the most important subject. It's having accurate time in the locks that are being recorded,

02:38

since different timelines on devices will most definitely cost false positives in the investigation and probably false positives that will's load down entirely the activities of the stock team

02:52

as important as CDs for stock analysts together information about riel tres more quickly and accurately. There's an argument to be made that the ability to wrap idiotically rule out false alarm is even more important. And this makes sense,

03:07

since the more rapidly the false positives air taking out of the equation, more time can be applied.

03:13

Riel Investigations about threat menacing the organization

03:16

threat Intelligence provides suck stuff with additional information and context needed to trash alerts promptly and with far less effort, it can prevent analysts from wasting hours pursuing alerts based on

03:30

actions they're more likely to be. No clothes read. Other militias,

03:35

Let's say on alert is triggered by a user blocking their account. It is more important to contacts accuser and confused. But the alert than start tracing the neck were activity to determine the determining where is the lock coming from

03:49

one will be way more effective than the other and will allow the security analyst market us a false positive as soon as possible.

03:57

Other rulers behavior are attacks that are not relevant to that enterprise. This is a very valuable subject to take into account, but it also is very risky when the right directives are not well defined.

04:10

If it is not clear what attacks and threats are relevant for to the organization, Ah, lot of time is going to be wasted when discarding all these traits of turning investigation.

04:20

But rather than right away when noticing, it's not a rolling on threat

04:26

and last but not least, attacks for which defenses and controls are already in place, which is basically self explanatory. Some threat intelligence solutions automatically automatically perform much of this filtering, but by customizing risk feeds to ignore or downgrade alerts that didn't match organization

04:46

and industry specific

04:46

criteria.

04:48

Okay

04:49

to put into perspective when we talking, we can see this image where ah lot of I P addresses air just shown on the screen.

04:57

This is what most of this most of the time, security analysts would look when tried trying to find something

05:03

they're let left with a time stem on an I P address to perform an investigation about a potential trade.

05:11

I want to make the disclaimer that this is not some sort of promotion of recorded future tools or else.

05:16

But truth is recorded. Future is one of the tread intelligence providers that has the most amount of technical information and knowledge based available to users in order to understand what cyber create intelligence is on its implementation. And that's why we can get images like the one on the right. The picture on the right

05:35

shows the enhancement that cyber threat intelligence can provide to the I. P address is shown in the emission left.

05:41

If you see there many indicators that make a lot of differences with this security analysts and clearly see if a night is good or bad or shall be considered in their investigations.

05:56

So with this content, we have now completed how the Cyber Trades Intelligence Unit will help this suck analysts to use their jobs, making the more efficient and effective. And with this we can answer questions like what is the most important role off disciple tread Italians in this opportunity.

06:14

I bet I know what you're thinking

06:16

on text.

06:18

What is the best biggest problem off suck analyst And how today Cyber trade, Italians integration help reduce these problems.

06:28

It doesn't matter the amount of information that you provide to suck analysts if it is not correlated a properly, it one too much help

06:36

and quarter to specific roles that suck analysts have to execute in order to fulfill their purpose.

06:43

Well, this one I'm gonna let you guys answer. Remember, if you have any fortune doubts, you can reach me at my email account.

06:53

And that's how we finished this section on cyber tracked intelligence and the soccer team. In today's video, we dove into the South challenges and how the Cyber Threat Intelligence Unit can help to. Is this

07:03

the overwhelming amount of alerts that stock analysts have to go through the key processes? They have to assure to guarantee an effective monitoring and the alerts and reach mint in order to provide the necessary context to the analysts and provide a more efficient use of their time

07:20

in the next video. It is the incident response team turn. We will be covering all dainty and response team World How it is connected to our soccer team and, furthermore, how it is benefit from cyber trade intelligence. What marvelous things the cyber tracked intelligence will be able to do for our friends at

07:41

in CNN. Response.

07:42

Well, we'll find out.