Looking back through the years of being a CSOC analyst and later on leading CSOCs, one of the struggles we faced as a team was the expectancy of knowing threats an hour before they came out and having reporting of some kind within hours of public release.
One particular incident stands out for me. Two critical vulnerabilities were being discussed on mainstream media. Not the tech blogs, not the cybersecurity news outlets, but news media that a majority of the population tunes into.
The very next day the COO of the company asks our CISO, “I saw something on the news about new cybersecurity vulnerabilities. Does that affect us, and what are we doing about it?” This scenario sounds very familiar to many practitioners out there. Like many organizations, we were an immature CSOC – we had threat intel feeds, but no true threat intel analysts.
So, we swung immediately into “response” mode. Trying to find out the number of systems we had that were vulnerable, how to patch, etc. We didn’t have time to actually do a full deep dive of what the vulnerabilities were and how they were being exploited. Eventually, we were able to get that research done, but at the cost of slowing down our daily routines of protecting the enterprise. Our detections and alerts went unanswered for longer than usual.
During this “crisis” our analysts were trying to get a hold of a threat intel service provider to provide an assist. Not only did we lack the tools, but also the skillset to visualize the data and the threat. We were finally able to get on the phone with an analyst from one of our providers. The remote analyst provided data, but not context. So, we were left to translate the data on our own. We needed to know:
- The likelihood of an attack happening using the vulnerabilities
- If any adversary that we knew were exploiting the vulnerabilities
Unfortunately, the answers came back too late. We had to act and we provided patch management strategies with the little information that we had at the time. I often think back to that day and wonder what would have been if we had a true threat intel capability.
When I joined King & Union to lead The Culper Group, I reflected back to that day and asked myself if there was a threat intel provider that offered specific services to their customers, what could we have done differently? Was there a capability that existed that we were not taking advantage of? And ultimately, the answers to those questions are 1) a lot and 2) not then, but there is now!
In building out our Culper Analyst On-Demand service, our goal was to solve that same problem I just wrote about by providing answers and capabilities to CSOCs or Threat Intel teams that did not have enough analysts or – the even more scarce resource – time. Not only will our Culper Analyst On-Demand service provide answers, but we want to also provide a collaborative experience with our Avalon platform. When we deploy an analyst, our goal is to work with our customers to provide not only a written report of a threat, but also to visualize the report in an easy to digest format for audiences of all levels.
As a CSOC manager and Incident Commander, access to data is extremely important. And not just access, but the speed at which the data is provided. With the combination of Culper Analyst On-Demand Service and our Avalon platform, we can give our customers access to a threat intel capability at the touch of a button.