IT risks come in various shapes and sizes– some obvious and others far more difficult to predict. However, many attack scenarios are now easier to address due to the identification of threat patterns, which are a set of characteristics representing suspicious behaviors in security platforms. Using these threat patterns, enterprises can prevent and mitigate a wider range of IT risks despite the complexity of network topologies and the variety of enterprise applications and technologies that need to be defended.
ISACA’s most recent white paper, ‘Threat Pattern Life Cycle Development’, takes this approach a step further by introducing a simple and well-defined process derived from the software development life cycle (SDLC). This approach to designing and implementing threat patterns helps increase threat detection rates and limits the need for the security operations center (SOC) to deal with false positives.
“Enterprises can gain a better understanding of security threats through the deployment of threat patterns in security monitoring solutions,” said Demetrio Milea, one of the co-authors of the paper. “By taking the same structured approach commonly used in software development, the SOC can identify and focus on more specific threat patterns while detecting issues more quickly and minimizing the effort needed to deploy detection techniques.”
"Attack vectors are not static, and advanced attacks are hard to detect,” said Davide Veneziano, the paper’s other co-author. “As a result, a one-off effort is usually insufficient and tends to make the pattern itself static and only useful for a limited time."
The threat pattern life cycle includes the following phases:
For each life cycle phase, ISACA presents vital questions that organizations need to answer before defining, developing and evolving modeled threat patterns. Through this structured approach and software development mindset, enterprises can develop threat management capabilities to better protect their assets, address IT security risk, mitigate existing threats and maximize the limited resources available in the SOC.