Skip to Content
Security Sep 09, 2023

Actionable threat intelligence: focus on what matters

By Natalie Walker Senior manager, Managed Security Services, BT

As organisations focus their efforts on digitalisation, cloud migration, hyperconnectivity and hybrid working to remain competitive, they’re now processing larger volumes of data, and have far greater exposed attack surfaces, than ever before.

Couple this with the growing number of sophisticated cyber attacks, and the fact that the volume of security related events and generic threat intelligence being handled has soared - with some platforms recording over 20 million potential indicators of attack on a daily basis.

Without automation overlaying cyber event data with distilled, contextual and real-time threat intelligence, this sea of security information is impossible to process or prioritise. Plus, it prevents organisations having a clear understanding of what really matters, meaning many attacks can go unnoticed or unresolved until it’s far too late.

So, how can security analysts extract the actionable insights from this information that will help them make informed, real-time decisions?


Multi-vendor oversight is essential

Despite the enormous volume of products and vendors on the market, no single solution currently covers all security requirements. As a result, it’s not uncommon for many enterprises to now have 10 or more point products in place.

This only generates more data and more alerts, which requires more staff and more running costs to process. Many security vendors operate on a ‘better safe than sorry’ approach, classifying large volumes of cyber events as suspicious or of potential risk and then leaving it to the customer to decide if they actually matter or not. Often, different vendors will classify the same threat indicators differently – leaving the added challenge of deciding which source to trust. Needless to say, a large proportion of these events are misleading and an unnecessary drain on analysts’ time.

Plus, to make matters even worse, many solutions from different vendors don’t work together, creating additional security blind spots. To make sense of it all, organisations need greater oversight across all of their solutions and threat feeds. This will help them to distil threat intelligence down into what really matters.

It’s all about context

But to start differentiating raw threat intelligence from actionable insights you need to add context. Every day, organisations receive an overwhelming amount of threat indicators that aren’t relevant to them.

To find actionable value, it’s vital to be able to automatically analyse and then categorise threat alerts as they come in. With added context on what poses a real threat to their operation, who adversaries are, where they’re operating and the tactics, techniques and procedures they regularly use, security teams can make informed decisions on what preventative actions they need to take.

Timing is everything

Unfortunately, most sophisticated cyber criminals are already one step ahead and are often some of the first to embrace new technological advances. They’re constantly coming up with new ways to avoid detection and overwhelm defences. To keep up, you need to cut the time it takes to process threat intelligence, detect the breach and respond quickly and effectively. It’s no longer possible to manually react to all alerts. Real-time monitoring and automated decision making are now critical to proactively detecting anomalies and rapidly updating your protections against next-generation threats - blocking attacks before they can even happen or cause significant damage.

Getting an Eagle-i view

Eagle-i is our transformational cyber security platform. It’s a solution designed to sit over the top of our existing managed security services, overlaying actionable intelligence to enhance and coordinate defence efforts.

The platform automatically processes the enormous volumes of alerts gathered by multiple, typically siloed, security solutions and threat feeds and then enriches these alerts with added actionable threat intelligence and customer-specific context. It helps prioritise detection and response based on organisation-specific risks. By combining AI-powered automation with our global knowledge and presence to rapidly assess security threat significance, it can predict an attacker’s next steps and recommend actions to prevent an attack before it happens or before any critical damage can occur. Plus, it’s always evolving, learning and refining its processes to continuously improve its defences.

What’s more, it’s a multi-vendor and multi-control platform, meaning it integrates multiple security controls and technologies from our partners into a single platform, providing you with flexibility and customisation in selecting the best tools for your specific security needs.