IT risks come from various sources that are not always easy to identify in advance, making prevention and mitigation really challenging. With the explosive growth in cloud, social, mobile and bring your own device (BYOD) computing, the attack surface is greater than ever, and new attack scenarios become possible due to the complexity of the network topology and the variety of enterprise applications and technologies that have to coexist.
Deploying threat patterns, defined as a set of characteristics featuring a suspicious behavior that can be revealed in security monitoring solutions (whether detective such as a SIEM platform or preventive such as a web gateway platform), is a great starting point for security operations teams to identify suspicious activities or potential attacks against networks, systems or applications.
However, threat patterns are complex to maintain, subject to false positives and negatives, and result in extra effort for the limited security operation center (SOC) resources, which traditionally are mostly deployed tuning their platforms and trying to identify what really matters among a huge number of alerts and indicators.
We believe that adopting a simple, structured and well-defined process borrowed from the Software Development Life Cycle (SDLC) is the key to develop and maintain those threat patterns in an effective manner. A well-designed threat pattern can lead to an increase in the threat detection rate and optimize the effort of the SOC, which can focus only on those risk scenarios that really matter to the organization.
This approach, described and detailed in a new ISACA white paper, Threat Pattern Life Cycle Development, guides the threat analyst throughout five phases:
- Analysis, in which input data is mapped against significant use and misuse cases
- Design, in which the logical flow and thresholds are defined
- Development, in which the threat pattern is first deployed in the selected security platform
- Testing, to ensure that the functional requirements have been met
- Evolution, to ensure that the logic of the threat pattern continues to be aligned with business and risk objectives throughout its life cycle
We believe this new ISACA guidance will prove useful in putting threat patterns to better use.