Our latest research agenda program fits in the latter category. When we were looking at possibilities for 2024, a client suggested:

Something around how the security industry is evolving to make the SOC more efficient and reduce stress and burnout would be good. For example, the H/M/L prioritization of alerts didn’t really do much. What are vendors doing that works, and what doesn’t work? (There could be a little AI in here, but it would be good to go beyond that.)

That nudge (thanks, Bob!) became the origin point for our latest report, Making the SOC More Efficient (available on the main Osterman Research site). It’s a long paper (26 pages) that attempts to deal thoughtfully and in-depth with the topic, exploring the data points we captured through the survey and advocating a way forward. There is more than “a little AI” in the report, though, as this has become both the greatest threat (82.4% of security leaders said that “the use of AI by cyberthreat actors in cyberattacks” was “very impactful” or “extremely impactful” – the highest-rated trend in this research) and one of the greatest tools for defenders (via the rise of AI-enabled cybersecurity solutions).

Some of the key takeaways from the research:

• Current SOC approaches have hit the wall
  Confidence in the ability of the SOC to protect against the threats detected by their security tools has dramatically increased during the past two years, but this increase in confidence is expected to rapidly crater. The innovations that drove increased SOC performance over the past two years do not contain the necessary ingredients to continue driving performance over the next two.
• Specialized threat intelligence to eliminate false positives, AI for behavioral analysis, and autonomous remediation seen as top innovations
  The three innovations seen as most likely to drive SOC efficiency and reduce stress and burnout among SOC analysts are the use of specialized threat intelligence to eliminate false positives; using AI for behavioral analysis in investigating alerts and autonomously creating or updating detection rules; and autonomously remediating incidents without SOC analyst intervention. Almost half of respondents gave two AI-powered defensive innovations the highest rating.
• New innovations improve SOC metrics by a composite average of 35%
  All organizations in this research are already experimenting with at least one new approach to improving the efficiency of their SOC. The most impactful innovations on key SOC metrics (time to begin working on an issue, time to close an incident, and number of false positives) are AI behavior analysis with autonomous rule creation/updating, AI behavioral modeling for detecting baseline deviations, and autonomous remediation of incidents.

If SOC efficiency is in your wheelhouse, we’d love you to get a copy.

This program was sponsored by Dropzone AI, HYAS Infosec, Radiant Security, and Sevco Security.

Here’s some notes on our briefing with Christopher Strand (Chief Risk and Compliance Officer). The briefing was organized by Liz Youngs of Trier and Company.

Key takeaways:

• Cybersixgill offers automated threat intelligence solutions drawing on data collected from the clear, deep and dark webs. Their website puts it this way: Cybersixgill covertly extracts data in real-time from a wide range of sources, including limited-access deep and dark web forums and markets, invite-only messaging groups, code repositories, paste sites and clear web platforms.
• Cybersixgill’s approach delivers threat intelligence as more than just a threat intel feed. It aggregates data in a data lake, enabling the addition of context to newly curated data, which is aimed at helping security defenders make better informed decisions on mitigations and responses. 
• If you are a Cybersixgill customer, you can receive threat reports for your vertical industry periodically (depending on your service level). This is a written report to provide analysis and context. It is complementary to the context-rich threat intelligence data.
• The company is investing in building out the conceptual framework of a risk intelligence approach. Threat intelligence is part of this framework, but not the whole story anymore. Risk intelligence is a long-term play for Cybersixgill. Christopher has written a couple of blog posts on this topic – see part 1 and part 2.
• In terms of risk intelligence, the big idea is moving beyond threat intelligence only to incorporate vulnerability intelligence (identifying and prioritizing), attack surface intelligence (gap identification for defense fortification), third-party intelligence (assessing security posture of supply chains and third-parties), and regulatory intelligence (sector/industry-specific regulations). It is, therefore, a much more holistic view of risk beyond adversary intent, capabilities, and techniques.
• See also our write up on Cybersixgill’s State of the Underground 2024 report.

For more, see Cybersixgill.

Cybersixgill released its annual State of the Underground report in February (read the press release for the summary and register for the full details in the report). The report itself is 52 pages in length, and covers threat actor trends across six areas, e.g., compromised credit cards, messaging platform usage, initial access.

Here’s our key takeaways:

• Compromised credit cards less of a problem
  The market for compromised credit cards has collapsed over the past 5 years, from 140 million cards in 2019 to 12 million in 2023. Improved fraud detection and prevention is a key contributor to this change.
• Less activity on underground forums and messaging apps
  Threat actors are making less use of underground forums and messaging apps, e.g., Telegram. However, much of this is due to significantly less activity by right-wing extremist groups and the disbandment of popular forums.
• Vulnerabilities need to be paired with likelihood of exploit to be meaningful in defensive strategies
  There were 7 CVEs introduced in 2023 that scored the highest marks for likelihood of being exploited within the next 90 days. MOVEit Transfer was in first place. In the top 10, half were for Microsoft products.
• Stealer malware continues to get worse
  Stealer malware grew in popularity in 2023, with 617 new types of malware (including stealers) mentioned on underground forums. Raccoon Stealer had >50% market share in 2023.
• Availability of compromised endpoints for sale increased, too
  The number of compromised endpoints increased (almost doubled, actually), which is problematic since they can be used for data theft, lateral movement, botnet recruitment, and more.
• Ransomware attack volumes were down, but ransom payouts up significantly
  Fewer attacks (by around 10%) combined with significantly higher ransom payouts (almost doubled) means ransomware continues to be a significant threat. While the likelihood of being targeted went down, for those that are targeted and compromised, costs are much higher.

Thanks to Cybersixgill for assembling such a good resource.

Commissioned by Cyren

Executive Summary

Contextual threat intelligence is an effective force multiplier that enables security teams to make better, faster, and more accurate decisions.

The fundamental nature of cybersecurity represents a continuous battle between bad actors, some of which are highly sophisticated and well-funded; and those who must defend networks, users, and data sources against their attacks.

Threat intelligence can help to enable security analysts, threat researchers and others to deal more effectively with cybercriminals by providing the information to better understand current and past attacks, and it can give them the ability to predict and thwart future attacks.

Request a Copy

Register to request your copy

This missing component for most organizations is the addition of robust and actionable threat intelligence to their existing security defenses, which can be segmented into four subcategories:

1. Strategic (non-technical information about an organization’s threat landscape)
2. Tactical (details of threat actors’ tactics, techniques and procedures)
3. Operational (actionable information about specific, incoming attacks)
4. Technical (technical threat indicators, e.g., malware hashes)

The use of good threat intelligence can enable security analysts, threat researchers and others to gain the upper hand in dealing with cyber criminals by giving them the information they need to better understand current and past attacks, and it can give them the tools they need to predict and thwart future attacks. Moreover, good threat intelligence can bolster existing security defenses like SIEMs and firewalls and make them more effective against attacks. Threat intelligence plays a key role in proactive defense to ensure that all security programs are relevant to the fast-evolving threat landscape. This is particularly valuable in security awareness training to ensure users are familiar with known threats.

ABOUT THIS SURVEY REPORT

This survey report presents the results of a primary market research survey conducted with members of the Osterman Research survey panel and another panel and others during mid-2019.

Sponsored by Cofense, DomainTools, Proofpoint and Spamhaus Technology.

Executive Summary

Cyber security is an ongoing battle between sophisticated and well-funded bad actors and those who must defend corporate networks against their attacks. The bad news is that the latter are typically not winning. A recent Osterman Research survey found that while most organizations self-report that they are doing “well” or “very well” against ransomware, other types of malware infections, and thwarting account takeovers because of the significant emphasis placed on these threats, they are not doing well against just about every other type of threat. These include protecting data sought by attackers, preventing users from reaching malicious sites after they respond to a phishing message, eliminating business email compromise (BEC) attacks, eliminating phishing attempts before they reach end users, and preventing infections on mobile devices.

This missing component for most organizations is the addition of robust and actionable threat intelligence to their existing security defenses, which can be segmented into four subcategories:

1. Strategic (non-technical information about an organization’s threat landscape)
2. Tactical (details of threat actors’ tactics, techniques and procedures)
3. Operational (actionable information about specific, incoming attacks)
4. Technical (technical threat indicators, e.g., malware hashes)

The use of good threat intelligence can enable security analysts, threat researchers and others to gain the upper hand in dealing with cybercriminals by giving them the information they need to better understand current and past attacks, and it can give them the tools they need to predict and thwart future attacks. Moreover, good threat intelligence can bolster existing security defenses like SIEMs and firewalls and make them more effective against attacks. Threat intelligence plays a key role in proactive defense to ensure that all security programs are relevant to the fast-evolving threat landscape. This is particularly valuable in security awareness training to ensure users are familiar with known threats.

Request a Copy