Automate actions such as threat response and mitigation, producing after-incident playbooks, and other activitieswherever possible. Ideally, the automation should enable fast-acting workflows with minimal manual intervention. This goal is to enable the fastest possible response to reduce malware dwell times and minimize potential harm to computing systems. To automate and orchestrate these tasks means using various standards such as Trusted Automated Exchange of Indicator Information (TAXII) and Structured Threat Information Expression (STIX) across the entire threat management tool chain, so that different products can effectively communicate with each other. The less manual effort involved in these tasks (including updating custom spreadsheets for example) the better. Examples include things such as enrichment of alerts, real-time sharing of indicators, or producing on-demand reports.
Create a central place for all threat management tasks, covering the entire lifecycle from discovery to mitigation and further system hardening to prevent subsequent attacks. This means being able to integrate with existing security toolsets, such as SOARs, SIEMs and CNAPPs, and avoid duplicating their efforts. “Modern TIPs enable multi-source ingestion, intelligent prioritization, automated workflows, and seamless integration with existing security tools,” according to Cyware.
Should you focus on cloud or on premises TIPs?
The early TIPs were typically based on premises, but over the years have expanded their coverage and relocated to cloud-based services, in some cases set up by managed service providers. Today’s TIP should cover both use cases and a wide variety of cloud sources, including other cloud providers besides Amazon, Google and Microsoft, Kubernetes clusters, and virtual servers.