According to a survey run on IR and SOC teams, analysts are required to keep track of an average of 6.8 threat intelligence feeds and manually handle an excessive number of alerts. The average security operations team receives over 11,000 alerts per day. Most of an analyst’s time (almost 70%) is spent on investigating, triaging, or responding to alerts, and most of these alerts must be manually processed, which significantly slows down a company’s alert triage process.
The Biggest Challenge for Security and Threat Teams
SOC analysts have too many alerts to process. It is overwhelming. Alert fatigue is a real phenomenon that can drive employee burnout and turnover. There is also a real risk that a serious threat will get missed in all the noise.
The quality of the threat intelligence platforms and feeds is highly questionable. How much of the intel is garbage and unusable? Threat intelligence process itself spans and feeds into many external and internal systems and applications. There are many stakeholders or beneficiaries using the TI feeds via SIEMs, network traffic analysis tools, intrusion monitoring solutions, and so forth.
Why Is It so Difficult to Manage?
When it comes to managing threat intelligence, there are usually many stakeholders trying to manage it with too many platforms. Lack of collaboration among teams and syncing up to learn from one another is time-consuming and frustrating. Not only that, but the existing threat intelligence platforms lack the capabilities to aggregate, analyze, and build context to help teams understand the relevance and potential impact of a threat.
How Palo Alto Networks Cortex XSOAR Threat Intelligence Management Helps Prioritize and Act
Cortex® XSOAR Threat Intelligence Management (TIM) introduces a completely new approach to embedding and taking action on threat intelligence across every aspect of the incident lifecycle. It enables you to attain unmatched visibility into the global threat landscape with automated connections between external threat intelligence and internal incidents.
With a common platform for incidents and threat information where there is no disconnect between external threat data and your environment, we believe your incident data is the most relevant source of threat intelligence available to your organization, and we help you treat it that way. Automated data enrichment of indicators provides analysts with relevant threat data to make smarter decisions. Integrated case management allows for real-time collaboration, boosting operational efficiencies across teams, and automated playbooks speed response across security use cases. TIM enables you to:
- Leverage the massive repository of Palo Alto Networks tactical threat intelligence (with tens of millions of unique malware samples and firewall sessions analyzed daily) as well as strategic intelligence from Unit 42™.
- Surface connections between threat actors and attack techniques previously unknown in your environment.
- Use best-in-class security orchestration, automation, and response (SOAR) capabilities to empower customization, modeling, and automation of threat intelligence at scale.
- Shut down threats across more than 600 third-party products with purpose-built playbooks based on proven SOAR capabilities.
- Take advantage of native threat intelligence management, unifying aggregation, scoring, and sharing of threat intelligence with playbook-driven automation.
- Improve decision-making during investigations, better predict and prevent future attacks, and get a global view of your threat landscape with a central intelligence library.
