How to Leverage Cloud Threat Intelligence Without Drowning: The Zero-Noise Approach

Why is Threat intelligence so difficult to effectively utilize in the Cloud? Different Cloud environments share many characteristics, leading attackers to often use the same TTPs in a multitude of attacks. Sounds like an easy case of using TI to detect and investigate malicious activity, until we encounter one problem : noise. The vast amounts of Cloud TI data combined with increasingly high volumes of automated Cloud attacks have created a situation in which most organizations can't effectively handle their TI feeds. Instead of enabling better detections, these feeds often lead to alert fatigue and hinder the identification of true malicious activity. To tackle this problem, we developed a unique methodology for ingesting Cloud TI and detecting malicious activity : The Zero Noise Approach. While initially challenging to execute, taking an attacker's perspective to create tailored baselines, continuous feedback loops for every detection and a “no alert left behind” mentality, enable us to stop looking for needles in haystacks and focus only on high fidelity attacker TTPs. In this session we'll detail our approach and its key benefits, along with real-world case studies highlighting the dramatic security impacts of implementing a true Zero Noise approach to Cloud Threat Intelligence.

View upcoming Summits: http://www.sans.org/u/DuS

SANS Cyber Threat Intelligence Summit 2024
How to Leverage Cloud Threat Intelligence Without Drowning: The Zero-Noise Approach
Yotam Meitar, Director of Cloud Response, Gem Security