Transforming Threat Data into Actionable Intel

To keep up with today’s threat landscape, you must collect information from a dizzying array of sources – public feeds, subscription services, information shared by corporations and cybersecurity vendors, and internal monitoring systems. Because threats change and grow at lightning speed, data piles up faster than you can say “cybersecurity.”

Still, believe it or not, data collection is the easy part. The real challenge is figuring out what to do with the flood of information – and how to separate credible threats from false positives that tie up resources and waste precious time. After all, threat intelligence is useful only if you can analyze and act on it in a timely manner.

The problem is humans cannot process vast volumes of data. They need help from technology. Identifying Indicators of Compromise (IOC), which provide clues of malicious activity within the network, requires solutions with machine learning capabilities that automate the process of collecting, cleaning and transforming raw data into actionable intel.

Herculean Task

IOCs typically reveal themselves through telltale features that evade the human eye but cannot escape detection by machine learning algorithms trained to spot them. IOC characteristics may include a recently registered domain, wording that does not match regular language patterns, entropy (a high number of characters in a domain), login attempts from outside an organization’s geographical area, and unusual DNS inquiries.  

IOCs show up across an expansive sea of devices and networks. Threat actor activity can hide behind local host IP addresses on individual devices and in Content Delivery Networks (CDN), which use distributed proxy servers to cache large media video and audio files to improve their accessibility and download speeds.

Another contributor to IOC proliferation is the shift to cloud computing systems such as Google Drive, Amazon S3 and Microsoft 365, which created new attack surfaces. Even more will be created with the Internet of Things (IoT), where even an IP-connected lightbulb can double as an attack vector.

To fend off potential threats, you have to swiftly identify red flags across this growing field of devices and networks while managing to reduce false positives. It’s a herculean task.

Identifying IOCs

To tackle the massive task of detecting, analyzing and scoring IOCs, CenturyLink is integrating machine learning into our Security Log Monitoring platform and combining it with a cross-industry standard process for data mining (CRISP-DM) framework to reduce false positives, pinpoint credible threats, accelerate mitigation and lower security-related costs.

Security Log Monitoring will combine deep learning algorithms with the automation of data classification models based on years of threat intelligence monitoring.

Security Log Monitoring’s automated IOC analysis creates an intersection between data collection, deep analysis and automation. This is where security meets data science. And it helps to give cybersecurity professionals a real fighting chance against threat actors.

Affordable Threat Intelligence

Security Log Monitoring’s IOC machine learning capability employs UEBA (user and entity behavior analytics) to automate threat analysis, allowing organizations to automatically scale internet security up or down based on changing threat levels.

Available through SaaS (software as a service), it is an affordable cloud-based service that places top-level threat intelligence within reach for organizations. Having an affordable threat monitoring service allows organizations to focus on business-critical insights instead of digging through heaps of threat data.