As companies try to gain visibility into the threats targeting their systems, they are inhibited by a common problem: The sheer volume of data. A few years ago, they perhaps only had to worry about thousands of new indicators every day. Today, security teams may need to sift through hundreds of thousands of new indicators every day.
In 2018, two-thirds of companies consumed cyber threat intelligence data, according to the SANS 2018 Cyber Threat Intelligence survey. The top-three uses of threat intelligence are for detecting threats and attacks, prioritizing vulnerability remediation prioritization, and for incident response.
Yet, correlating disparate data into credible threat information is a tough problem. Often, it is beyond a human being's ability to process or to correlate. Even with machine learning, such an influx of data can overwhelm systems and result in false positives.
Today, security teams may need to sift through hundreds of thousands of new indicators every day.
Anomali solves that by using security, network, and threat data from a variety of sources to give companies additional context and more reliable threat intelligence. We take everything coming in, give it as much context as possible, and let the machine do the heavy lifting. Analysts in security operations centers (SOCs) are overwhelmed with data, so paring down that information into the high-quality signals of potential threats is not only desirable, but necessary.
As part of that effort, we integrate with other services that can give us internal context and insight into the security state of a business's environment. If you have a vulnerability scanner you can bring in the data about your environment and where those systems reside.
When you see these things coming in from Symantec's ecosystem, you can instantly have the context of what information is critical, rather than get alerts on threats that do not impact your systems.
Symantec has an incredible footprint with millions of sensors deployed worldwide. With the DeepSight product, we satisfy our users’ need for access to everything else they are doing with threat intelligence.
Because modern application programming interfaces (APIs) allow easy integration, bringing the Symantec DeepSight intelligence into our platform was fairly straightforward. Going forward, as Symantec brings new data products into their portfolio, we aim to incorporate those that are beneficial to the Anomali ecosystem.
If Symantec's ecosystem continues to evolve, there is going to be a lot of opportunities to find the pieces of overlap to tap into more data and gain extra visibility. In addition, there are a lot of extra different types of enrichment that will allow us to bring people more information about different threats, and some exciting ways to bring different tools into the environment.
With companies increasingly asking for threat intelligence systems to prioritize their analysis and incident response activities—more than three-quarters of firms directly import threat intelligence into their security information and event management (SIEM) systems, according to the SANS report—it becomes increasingly important to find more sources of data to add context to threat services. Yet, more data can mean more confusion, so using a system that adds context and can prioritize threats for companies is essential.