Current security operations in certain companies involve consumption of a feed of cyber intelligence data - information about current threats that may compromise corporate networks. Due to the large number of possible threats and related information generated each day, analysis time of each entry in the feed - with respect to its severity and impact - can take hours after time of first sighting. Using our Integrated Adaptive Cyber Framework (IACD), we implement flexible automation in the networks of three banks - MasterCard, Huntington, and Regions Financial - to decrease average response time from roughly 6 hours to under 3 minutes.
Working in conjunction with the Financial Service Information Sharing and Analysis Center (FS-ISAC) and the banks, we use Security Orchestration, Automation and Response (SOAR) to parse raw threat intelligence into standardized Indicators of Compromise (IoCs), which common security orchestration tools can intake and respond to. As part of our threat intelligence parsing, we utilize external enrichment tools to provide a relevant "score" of how severe a particular IoC may be. Providing a central feed of parsed, enriched IoCs allows security orchestration tools to make good, consistent judgements on how best to respond to an incoming threat, taking into account possible impact to the specific network in management. We touch on the importance of automation making non-damaging changes to the configuration of the network (e.g. we should not accidentally block a commonly-used domain).