Military general and philosopher Sun Tzu once led the largest armies in the world and authored The Art of War, still considered a masterpiece of tactical warfare and very relevant as we wage our battles against evolving cyberattacks. That’s because even though threat intelligence is a relatively new discipline in our cyber defense processes, it has actually been around for more than 2,500 years. Threat intelligence was central to Sun Tzu’s winning strategies and it is foundational to our success today as our security approaches continue to evolve, most recently with Extended Detection and Response (XDR) solutions. Most cybersecurity professionals are familiar with this widely referenced quote by Sun Tzu: “If you know others and know yourself, you will not be beaten in one hundred battles. If you do not know others but know yourself, you will win one and lose one. If you do not know others and do not know yourself, you will be beaten in every single battle.”
According to Sun Tzu, the first step in awareness is information gathering. This includes information about yourself – your assets, priorities, strengths and vulnerabilities. You must also know your enemy – who and where they are, their size, the types of weapons they use, their motivation, and their tactics and techniques. This information drives basic decisions – is this a threat or not, should we fight or flee, and what actions should we take? Then comes the most important step – calculations. As Sun Tzu said, “The general who wins a battle makes many calculations before and during the battle. The general who loses makes hardly any calculations. This is why many calculations lead to victory and few calculations lead to defeat.” We should not act on the basis of raw data, but rather on information gained by examining the data for relevance, priority and other situational information, which on the battlefield includes terrain and weather conditions. The goal is to apply context to data, so you have the right information at the right place and time.
Parallels with The Art of War and the XDR process
Relating this process to XDR, we see close parallels. Gathering information from different disparate internal and external sources and domains is the “extended” part. The distribution or dissemination of information across your security infrastructure is the “detection and response” part. Finally, calculations involve converting raw data into relevant intelligence and this is the basis for responding efficiently and effectively to a given situation.
To accomplish this, what’s needed is a data-driven security operations platform that allows you to extend capacity to consume and manage data, be it internal or external, structured or unstructured. A lot of valuable data you get from third parties is trapped within their technologies, so the platform must be based on an open architecture, where integrations are broad and deep to help you unlock that valuable resource as well. Having aggregated and normalized all that data, the platform then must be able to correlate the data and apply context so you can prioritize and filter out noise.
Ultimately, you want to be able to operationalize the data and take the right action. So, the platform must translate that curated, prioritized data for export, allowing for data flow across the infrastructure to quickly activate defense technologies and teams. Closing the loop, the platform also captures and stores data from the response for learning and improvement. And remember, all of this happens at speed and scale, so automation is key — allowing you to act efficiently for comprehensive response.
Threat intelligence best practices to enable XDR
For organizations considering XDR, or that have already embraced XDR, the following best practices will help you leverage threat intelligence to derive more value.
- Use data from all sources: Integration is a core competency to enable XDR because organizations are not starting with a clean slate but have dozens of technologies, feeds and third-party data sources across departments and teams. Allowing for strong integration and interoperability with all systems and data sources, internal and external, enables you to leverage threat data. Displaying a wealth of contextualized data via a common work surface enables teams to apply it to understand the threats they are facing to reach the goal of extended detection and response across the infrastructure and across all attack vectors.
- Use data to focus efforts: Prioritisation should be automated but under the control of the security team. Filtering out noise (false positives and information that is irrelevant) using parameters you set ensures prioritization is based on risk to your organization. Analysts can focus on threats that matter most instead of spending time chasing ghosts. Feedback and results should be continuously captured, stored and used to improve security operations.
- Use data to drive response: The most effective way to empower teams is to apply automation to repetitive, low-risk, time-consuming tasks, and recognize that the need for human analysis remains. Irregular, high-impact, times-sensitive investigations are best led by a human analyst with automation simply augmenting the work. A balance between human and machine ensures that teams always have the best tool for the job, and a data-driven approach to both improves the speed and thoroughness of the work.
XDR is gaining a lot of traction. But in order for it to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach. Threat intelligence was critical to success on the battlefield then, and it is critical to success on the cyber battlefield today.
Discussion about this post