WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Threat intelligence is invaluable for any organization; the ability to leverage the security community’s combined knowledge of threats can take an organization’s security program to the next level. This shared information usually takes the form of indicators of compromise (IOCs), which can be IP addresses, domains, hashes, or other data types related to a threat. The IOCs are delivered from intelligence sources in frequently updated feeds, which can come in all different shapes and sizes; the feed could be a large, general feed from a threat intel company, or a smaller, threat-specific feed maintained by a small team or single person.
At first glance, it may seem that having more threat feeds means better security. However, getting meaningful value out of threat intelligence can be difficult, and more feeds can lead to high numbers of false positives and wasted resources on investigations.
In this article, we’ll review common problems with implementing threat intelligence and the best practices that can help fully realize its potential.
Threat feeds are commonly integrated with security technologies, such as firewalls or SIEMs, to automatically detect or block activity involving a threat IOC. Upon integrating a large feed, most organizations immediately see a high number of matches on traffic to a variety threat IP addresses or domains. Has the organization been compromised? Investigating all these communications can be infeasible. How can curated threat feeds generate so much noise?
The most important value of a threat feed is accuracy; the IOCs need to represent actual threats or the feed could lead to false positives. There are several ways an IOC can have a low confidence of accuracy:
Not all threats are equally impactful. Even if an IOC is accurately associated with a threat, the threat may pose a very low risk to the organization. Large threat feeds often mix low risk threats, such as hosts that have been observed scanning or sending spam, with high risk threats, like known malware or APT campaigns, making it difficult to determine the level of response warranted for a detection. Outbound connections to a known malware command and control server should be a higher severity event than web browsing to a site associated with spam.
Given the above issues, it’s no wonder that organizations can become inundated by alerts for threat feed activity. But this volume can also be attributed to the strategy of alerting every time a threat IOC is observed on a one-to-one basis. A single communication to an IP address or domain on a threat feed may not be enough evidence that malicious activity is occurring. These low confidence detections can require a lot of investigation time and will mostly likely end up as false positives. The one exception is for threat file hashes, which when observed, are very accurate and indicate the presence of a malicious file.
So how can threat intelligence be used in a way that provides the most value with the least amount of false positives?
The first technique is to filter out the low confidence and low risk IOCs from the threat feed. The most efficient way is to look at the IOC’s score. Most threat feeds have a score for each IOC that generally represents the IOC’s accuracy and the severity of the threat. The score calculations may include a variety of factors, such as the age of the IOC, the last time it was seen exhibiting malicious activity, the type of activity, the type of threat actor, and more.
By filtering out low-scoring IOCs from the feed, we can reduce the noise of inaccurate and low risk detections and focus the alerting on higher risk threats.
The threat feed can also be filtered on the type of threat associated with the IOC. Some feeds will label the IOCs with categories such as scanning, phishing, spam, malware, and others. Each category may not be relevant to include in every detection. An alert detecting outbound connections to an IOC might exclude scanning threats, since return traffic from an external scan may trigger false positives. Categories can also be used to create threat-specific detections, and noisy categories can be filtered out and used in a scheduled report instead to maintain visibility.
The final step is to create higher fidelity correlations that use the IOCs. Instead of broadly detecting every occurrence of an IOC in the logs, which can be noisy and low confidence, the IOCs can be correlated with specific activities. These activities could include authentications, shell connections, file transfers, file downloads, and others, which are normally benign but become suspicious when involving a threat IOC. By narrowing the scope of the alerts, we can greatly increase their fidelity and reduce the false positives while maintaining visibility into threat activity.
Threat intelligence is an important part of any organization’s security maturity. But just having a threat feed is not enough; untuned feeds and weak correlations can lead to high false positives and little value. To effectively leverage threat intelligence feeds for the best outcome, use these techniques:
These changes should help provide more actionable alerting and value from threat intelligence.
How ReliaQuest GreyMatter Integrates Multi-Feed Threat Intelligence for Comprehensive Coverage
ReliaQuest GreyMatter automatically collects, normalizes, and prioritizes threat intelligence in a consumable format for your SIEM and EDR. ReliaQuest GreyMatter processes all IoCs and only sends those with the highest fidelity, so your security controls report less false positives. Customers on average receive over 35,000 new IoCs each week, ensuring up-to-date, relevant intel for comprehensive threat coverage and a 25% average increase in true positives.