We recently explored how threat intelligence provides an essential complement to the security challenges that security information and event management (SIEM) platforms are designed to handle. Here, we’ll look more closely at how threat intelligence helps SIEM users by hearing from Relativity, a software developer based in Chicago that provides e-discovery solutions for law firms.
As we discussed previously, SIEM platforms are useful for pulling security event data from across an internal network and putting it all in one place. But there’s just so much data, and it’s only growing. This leads to a growing number of alerts produced by SIEMs — alerts that can be difficult to triage and resolve. SIEM users face an information overload from alerts that lack an outside view or additional context, and aren’t always dealt with in a timely enough manner to reduce risk.
All these challenges are certainly true at an organization like Relativity, which stewards massive amounts of sensitive legal data in their mission to give organizations “the tools to tackle any challenge, whether it’s litigation, information governance, a government request, or an internal investigation,” as they put it. Keeping that data secure is a primary objective of theirs, and it’s one that they can only meet by relying on real-time threat intelligence.
For a quick look at how Relativity uses threat intelligence to fulfill its security needs, check out this interview with two senior members of their security team:
We talked to Darian Lewis, the lead threat intelligence analyst at Relativity, to better understand how they use threat intelligence to stay on top of day-to-day SIEM alerts and other security operations duties.
The following interview has been edited and condensed for clarity.
How can security operations, incident response, or vulnerability management teams use threat intelligence to work more effectively, more quickly? What are some challenges they face that are solved by threat intelligence?
All of those teams need access to threat intelligence. Without it, they just don’t understand what they’re looking at. The volumes of data have grown from a couple hundred megabytes a day in logs to terabytes of logs. There’s absolutely no way that individuals can go through that volume of data.
The tools that we use bring it all together in one place, but to understand it, you need the intelligence component. It used to be that we would wonder whether companies were mature enough to actually digest threat intelligence, but these days that’s not even a concern. You simply have to. And it has to be integrated with the data that you have in order to get understanding out of it.
From the ground level, analysts looking at a new IP that’s coming in, or a new domain that people are trying to go out to, need to understand what the actual risk is to the company. And the only way to do that is by having threat intelligence integrated directly into the products that they’re using, because they don’t have the time to go hunt it down.
No analyst can go through thousands of incidents a day. We’ve got to get that down to literally dozens at most, so that they can spend the time to work on the things that are important.
You brought up this idea of maturity — do organizations, or security practitioners in particular, need a certain level of experience or maturity to effectively tackle these problems?
A lot of the maturity in the industry has grown, like I said, from people needing to understand every technical aspect. It’s been baked into our tool sets. At this point in the game, we’re mostly “toaster” users — people are simply expected to click the button.
However, that’s not what real analysts do. Our goal is to answer questions — specific questions. Sometimes companies ask us very complicated things, like, “Who’s coming after us? What do they want? Where are our weak spots?” Those are not easy questions to answer. They take a lot of research, a lot of time spent to find out what the answers to those kinds of questions are. Threat intelligence is what’s giving us those answers.
As far as maturity goes, the maturity of individual analysts has grown tremendously over the years, as I’ve watched people go from understanding what a firewall does to understanding this next generation set of tools that we have to work with and how everything fits together. So we’re able to paint pictures of who’s coming after us, what do they want, and how are they going about it. Where are our soft spots? How can we harden those? Where can we deflect attacks? Sometimes it’s not about keeping people out, just making it so difficult that they don’t want it anymore, or at least that we know that it’s there because once you know an attack is in place, you can do something more about it.
You mentioned that you’ve seen a maturity with individual analysts grow over time, but I also understand it’s a pretty persistent problem that there’s just not enough people entering the industry. What are some answers to that? How does threat intelligence help?
We are short of analysts and people who understand what’s going on, and the number is supposed to grow to ridiculous numbers in just the next few years, from a few hundred thousand shortage to a million shortage. We can’t put people through school fast enough. Schools are teaching things that are 10 years old. It’s a difficult and complex problem to solve. There’s no real easy solution to it. So, we have to get better at automation and we have to get better at the things we know that need to be taken care of.
I think there’s enough understanding of what the basics are, but threat intelligence brings to the table something that we’ve never had before, which is visibility into the minds of the bad guys. It lets us understand what they’re after, what we have that they want, why they want it, and what we can do to keep them from it. The maturity of the industry growing is important because we need to be forward thinking. People need to stop being behind the eight ball trying to keep the border safe. We need to move beyond that border and be more proactive, and the only way we can do that is through threat intelligence. That’s really where maturity leads us. It leads us further and further from our perimeter, so that we understand what’s coming down the pike because the right time to fix the vulnerability is before it’s exploited, and not afterwards.
When breaches and other bad things happen, that’s when you realize just exactly where the gold was inside your vault. Right now, a lot of companies don’t realize where their gold is. I think threat intelligence brings that to bear for them. For CISOs that need to be able to relate this back to the board and to others, they need to get a full risk profile, and it’s not just physical risk and their cyber risk, but also who’s out there, where the goods are, because a lot of companies still don’t know. Our asset management is a complex problem in our industry and until they fully understand where that risk surface is, they don’t know where their soft spots are.
What security problems does Relativity use SIEM platforms to manage? How does threat intelligence from Recorded Future help?
The SIEM that we’ve chosen is Splunk, and we feed all of our internal data into it. So we have our network feeding its information into Splunk — data from our firewall, our cloud solution, our on-premises solution. All of our endpoints also feed their information into it — our endpoint response solution, antivirus, anti-malware, Microsoft Advanced Threat Protection, they all feed into one location. Our analysts use it as a single pane of glass to get their work done.
And then for external context, we have a single repository source of truth in our threat intelligence platform, and intelligence from Recorded Future feeds into there. That means that all of the intelligence Recorded Future provides on a minute-to-minute basis goes from our threat intelligence platform into our SIEM solution so that we can compare anything suspicious that we see there against external context.
We’re also using your hunting packages. Those things are awesome. We use them to hunt threats retroactively within our network by looking at older SIEM data and comparing, and also to look outside of our network. They just pull together a lot of threat intelligence into one useful package.
And what unique problems does Relativity face in the legal industry? Who targets the organizations you work with?
Well, we’re a softer target. Security just isn’t top of mind for a lot of attorneys and law firms. In fact, they get more phishing attacks than anyone, because organizations in the industry hold on to a lot of valuable and sensitive data, like case data on some of the most prolific cases tried in the U.S. today. So we look carefully at phishing attempts, and at how people are probing networks. We like to go through those and make sure they’re less than harmful.
And that’s where threat intelligence really shines for us. Whenever we get hits for any IPs or domains, hashes, anything else, Recorded Future has great intelligence in the background that helps us make “go/no-go” decisions on that traffic.
Regarding who’s actually targeting legal organizations, if you look at the payloads they attempt to drop, it’s things like Monero cryptocurrency miners, banking trojans like Emotet, backdoor activity, people looking to grow their botnets. These are low threat-vector, usually non-targeted threats, but they’re ongoing and nonstop. And once they get a foothold and they realize you’re a high-value threat, these threat actors will sell you and your data as a much higher-value asset to other cybercriminals. It’s that low and slow bleed of data that harms. In fact, it’s rarely the company itself that knows first whether it’s been affected — it’s usually a third party that alerts them because they notice a breach in their own security.
A great way to take a deeper look at the best practices for integrating threat intelligence with your SIEM is by reading our complimentary solution brief on the topic, “Supercharging SIEM Solutions With Threat Intelligence.”
And if you want to learn more about how Relativity manages large volumes of data and ensures the safety of its users, you can watch our webinar with them on intelligence-driven security.