Co-authored by Ron Williams.
Why is relevance scoring critical to threat management?
Deciphering which threats are most relevant to an organization is one of the biggest challenges that analysts face daily. Multiple threats rated as 'HIGH' inundate security operations center (SOC) analysts by filling their investigative queue. Alternatively, analysts too often find, after the fact, that threats that were classified as 'LOW' or unrated are more deserving of their time and effort.
Challenges to solving this problem
Analysts use various standard and ad-hoc models to characterize a particular threat. They may score or rank a threat in order to indicate a confidence in its conclusions, relevance to a particular situation or use case, or other potential impact to the target. Threat intelligence is often accompanied by similar sets or measures and categories, like the category of the threat, such as Botnet Command and Control, Malware Servers, or Phishing URLs; confidence ratings (0-100%); and one or more component scores like the Common Vulnerability Scoring System.
A key problem faced by analysts is contextualization, the process of making threat intelligence relevant to my organization. An analyst is charged with sorting whether a given event is relevant to their organization. If so, they assess the relative impact, collect and demonstrate how the evidence supports the conclusions, produce and deliver a report to their organization, and investigate the next one.
Analysts spend a significant amount of time correlating multiple data sources to make decisions in the SOC. Getting to relevant threats is the key challenge. Without contextual relevance, organizational leaders are unable to accurately assess the impact to their organization, leading to misappropriation of resources to address the most relevant threats.
Threat scores may indicate confidence and the potential impact of a threat globally. Threat scores may be human, algorithmic, or both. The key challenge for the analyst is correlating the properties of the scored indicators with the private indicators in their infrastructure. Analysts need to see threat scores in context of their own individual situation, and in turn prioritize which threats are most relevant to them.
The problem is not getting smaller. Analysts are racing against time to analyze all their events and prioritize threats for monitoring. Analyst resources are scarce and malicious activity is growing daily. Analysts are drowning in a sea of threat intelligence and telemetry and frequently left to make sub-optimal assessments of risks.
Introducing the IBM X-Force Threat Score
The IBM X-Force Threat Score was developed to help analysts prioritize workloads in the SOC by quickly identifying those threats which are most relevant to their organization. It is an analytical and adaptive score that continuously takes into account various captured threat vectors, such as organization profile (industry, locations), threat severity, and local sightings from the user's environment.
The dynamic IBM X-Force Threat Score is the result of correlating all connected sources of data from the users environment. This includes data from firewalls, routers, SIEMs, and other monitoring products from IBM and third parties. The IBM X-Force Threat Score combines local relevance and provides the analyst and their organization with a contextualized perspective to the conditions they are facing.
Debut Launch of IBM Security Threat Intelligence Insights
The IBM X-Force Threat Score is included in the new IBM Security Threat Intelligence Insights application on IBM Cloud Pak for Security. Users will see prioritized, relevant threats based on profile-specific characteristics. After users connect data sources from their environment, Threat Intelligence Insights will automatically scan all known indicators in threats against a user's environment, updating the X-Force Threat Score for each threat on a regular cadence, enabling analysts to focus on what's critical.
Learn more about IBM Security Threat Intelligence Insights