MKACyber’s process for curating security content is one of the primary features of our W@tchTower platform and managed service. So what exactly do we mean when we say “content curation”—let alone “content”?
We define “content” as the defensive data that our security operations specialists create to arm a customer’s network against attacks. This can include indicators, SIEM correlations searches, intrusion detection system signatures, indicators of compromise (IoCs), configuration monitors, file hashes for antivirus, firewall rules, and really anything else you might input into a security tool.
In general, content curation starts with the intelligent derivation of content from relevant threat intel—paid and unpaid—and from the information we glean from sensors, IT assets, and other data sources on our customer’s networks. These data sources can include intrusion detection and prevention systems, Web and email proxies, email security gateways, and SIEMs to name a small handful.
Of course, an organization could simply pay for all of the threat intelligence feeds in the world and ingest as much actionable threat data as is possible. However, doing so wears on your human, technical, and financial resources. As such, we carefully analyze threat intelligence and networked data sources in order to curate content in such a way that our customers’ security tooling is only ingesting defensive data that is relevant to their threat model and so their analysts are only focusing on the threat that actually matter. In addition to aligning this content with an organization’s threat model and tooling, we also tag all the content by use-case and continually monitor it to make sure that it’s returning value to our analysts.
Another key part of content curation relates to vulnerability management and system hygiene improvement. As we’re mining, curating, and creating content, we are also discerning the vulnerabilities that the intel relates to and, in turn, understanding how the network is affected by those vulnerabilities. In this way, content curation enables a holistic and proactive defense.
As our CTO Justin Monti wrote in a recent piece for SCMagazine, “Instead of reading every report in your threat feed and interpreting all intel as a threat to your business, it’s best to develop an organized process for curating the data— selecting sources, reviewing intel, and tagging, organizing, deploying, and monitoring the efficacy of data—so that it aligns with your organizations visibility and helps guide your (security operations center) SOC analysts.”