The idea of correlating internal network traffic data with external threat data looking for insights is nothing new. There are different ways to do it that yield different results. But one thing is definitely true: if you don’t currently correlate data between your internal network traffic and your threat intelligence, you are, as the expression goes, leaving money on the table. 

If collecting vast amounts of threat data could win the war on cybercrime on its own, it’s safe to say the war would already be over. Making sense of that data and turning it into actionable intelligence is the larger challenge. That is where correlation comes into play. 
‍
Correlating internal and external data can give you a more in-depth understanding of your actual threat environment, help you identify new threats, and help evaluate the extent and severity of those threats.

In fact, a recent article on the Security magazine website breaks it down pretty clearly: “Effective threat correlation is a key ingredient to proactive protection, that is, the ability to defend against not just known, but also unknown threats.”

How Correlation of Threat Data Works
Threat intel data is typically consumed in feeds that usually contain IOCs identified by security companies or organizations. These feeds are structured (STIX/TAXII is the most commonly accepted protocol) to be consumed by a wide range of security platforms. Feed information often contains extra context that helps you understand how vulnerabilities are related (like TTPs, threat categories, threat attribution, etc.).

Our industry has become alarmingly good at generating this raw threat data. As the quantities of data grow, it becomes increasingly difficult for humans to sift through and see the patterns. But software that can compare threat feeds and network flow logs at speed can significantly cut incident detection and response times.

That software can use a variety of methods from field comparison, rule-based matching, and fuzzy matching to complex machine learning approaches like classifiers and neural nets. What they are trying to spot are patterns and connections in the data that would indicate a relationship. Those relationships can help identify active attacks and even help protect against them, as well as provide insight into the relationship between attacks, indicate which tracks pose the biggest threat, and even help you adapt your threat posture to prevent future attacks.  

To Sum It Up
To distill it down to four key benefits, correlation done right can provide: 

• More complete coverage
• More prioritized coverage
• Faster incident detection
• Continuous improvement‍

‍Augur and CSCA
Like we said in the intro, Cybersecurity Correlation and Automation (CSCA) isn’t a new idea. After all, it has its own acronym. But Augur pXDR’s implementation of the concept is different. We leverage our proprietary predictive threat intelligence and correlate it against client network data to provide enhanced visibility on threats and protection via automated blocking across all integrated systems. We also aggregate normalized data from 120 sources to bolster your protection and verify our predictions. Adding that layer of predictive threat intelligence enables proactive defense against threats that have already been identified as acute by comparing network data to the predictive data and the traditional threat intel data. 

In that same piece on the Security magazine website, the author points out, “Guaranteeing the safety of a client’s network requires security service providers to reduce false positives and negatives and verify sensor performance and availability. And these challenges can be addressed by effective threat correlation.”

Although Augur’s predictions are already highly accurate to start with (less than 0.01% false positives). Correlation with your internal data allows Augur to gain insight into which threat groups represent the greatest risk to you and improve that accuracy even further. It also allows Augur to automate proactive blocking with extremely high certitude that it is blocking a threat vector that is very likely to attack your networks.

In fact, Augur predictions are typically made more than 60 days before traditional threat intel sources first confirm attacks – that means you get your protection before patient zero is detected, not after a threat has already hit your network. Augur doesn’t identify all threats, but it does identify literally thousands of IPs, IP ranges, and domain names per week that will eventually be used for malicious purposes. 

Correlation + Attribution = Enhanced Protection
By correlating our unique predictive threat intelligence with your network traffic, Augur can provide enhanced protection to your network via another core Augur function: threat attribution. You can learn more about Augur’s threat attribution capabilities here, but for the sake of this post, we can distill it down to a single important point. Augur attributes threats based on complex algorithms and groups them together into threat actor groups. By correlating this data with your network data, Augur can determine which groups represent the most serious threats and automate the blocking of traffic (incoming and outgoing) to all infrastructure attributed to this group – not just the specific threat that was identified.

Augur’s correlation and attribution data is also made available to analysts and threat hunters via Augur’s powerful dashboard to support and accelerate their work.

To see for yourself how Augur works and the impact of predictive threat intelligence, correlation, and attribution, drop us a line to set up a demo.
‍