The ‘dark web’ sounds like something out of a spy thriller. But it is very real. It is a dynamic and high-velocity marketplace where stolen company credentials, exploits, proprietary source code, and more are traded on a daily basis. It is a marketplace C-suite executives cannot afford to be ignorant of.
Dark web threat intelligence is a tool designed to help cybersecurity experts stay ahead of those who operate in the marketplace. Unfortunately, traditional approaches to dark web threat intelligence have been siloed. A typical scenario involves a specialized team of security experts using a highly specialized portal to find pending threats before alerting the IT department. But by the time IT reacts to the alert, the damage is done.
A more modern approach dispenses with passive observation in favor of active synergy. It integrates darknet data directly into existing Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) ecosystems.
Silos Are More Like Vacuums
Contents
We talk about silos in all sorts of business contexts. In cybersecurity, silos are more like vacuums than anything else. Therein lies the biggest challenge with siloed threat intelligence. When threat data lives in a vacuum, context lag is inevitable.
A SIEM platform could easily flag a suspicious login attempt. Yet without context, it could be interpreted as a routine password error. On the other hand, imagine the possibilities if the same SIEM platform – thanks to real-time updates – identified those specific credentials as having been sold on the darknet earlier in the day. What could have been mistaken as a routine error now becomes a high-priority breach attempt.
Integration Allows Information to Live
Dark web threat integration with SIEM and SOAR takes ‘dead’ information stuck in silos and gives it new life. According to DarkOwl, a leading provider of darknet threat intelligence technologies, the heart of integration is the API.
APIs are crucial to modern dark web investigations. They bridge the gap between dark web forums and an organization’s defense perimeter. It is the API that allows an organization’s security tools to speak a common language with intelligence platforms – all without the need for human intervention.
1. The SIEM Layer
The brain of modern security operations is the SIEM. By connecting it to a darknet feed with an API, the SIEM is equipped to automatically correlate internal logs with external threats in real time. So if a leaked employee email appears on a record of infected devices, for example, the system will automatically cross-reference that email with an active user directory.
2. The SOAR Layer
A SIEM platform is designed to detect threats. Meanwhile, the SOAR platform acts on those threats. Integrating SOAR with dark web threat intelligence enables the use of playbooks – pre-programmed responses to specific threats.
The perfect example is an API that detects a high-fidelity credential leak. The associated SOAR playbook instantly forces a password reset along with multi-factor authentication (MFA) for that particular user, thereby mitigating any threat instantly.
A Security and Business Decision
DarkOwl insists that integrating dark web threat feeds into SIEM/SOAR platforms is more than just a security decision. It is also a business decision. It’s a strategic move that improves security, lowers operational costs, reduces Mean Time to Respond (MTTR), and forces a switch from passive to proactive risk management.
If your organization’s dark web threat intelligence remains siloed, any benefits you reap from it are limited. It is time to stop passively observing threats in favor of aggressively searching them out and stopping them before they do real damage. SIEM/SOAR integration is the way to go.