04-08-2025
The Hidden Questions Behind 'Did You See This Threat Intel Report?'
Alex Lanstein is the CTO of StrikeReady, pioneering unified AI-powered Security Command Center solutions for Security Operations Centers.
It's a common scenario among cybersecurity analysts: the boss approaches the security operations center (SOC), waving a threat intelligence report that they heard about in a board meeting or at an InfraGard event. They ask a question that is likely to determine what SOC professionals will be working on for the rest of the day: 'Did you see this?'
And with those four words, the boss has set a certain expectation for the SOC. But to effectively go on this fact-finding mission, analysts need to understand what the question really means—and the challenges they may face when trying to answer it.
The Three Real Questions Behind 'Did You See This?'
While the boss may have only uttered four words, there are generally three distinct questions being asked, and each one comes with different expectations.
To answer this first question, an analyst begins by extracting all of the indicators—which could be in the hundreds—including domains, hashes, IP addresses and URLs. Security operations teams block millions of things per day based on generic policies, but often these alerts predate finished intel, so there is no reason an analyst would have noticed a random IP address getting blocked by a web app. While doing these searches, the SOC will rely on federated search capability in the stack that can look for data in every single security tool and find out what, if anything, has been blocked related to this threat.
However, this can be easier said than done. Companies may rely on SIEM, XDR and EDR detection systems for this type of search, and there may be blind spots created if the systems haven't been effectively integrated—particularly if load balancers, edge devices and SaaS platforms are being used. As a result, the SOC may miss critical signals that analysts need to know.
Answering this question can be more challenging than the first, because now the SOC is dealing with significantly more data—and has no alerts to work with because the threat had not been detected. To answer this question, professionals have to search logs and telemetry, which can include firewall records, email click-through data, DNS records and browser histories. These systems tend to be decentralized, and if there is no way to do a scalable, federated search, analysts are tasked with looking for data in each individual location. That means Chrome-tab whiplash galore.
Furthermore, this is not only a time-consuming endeavor—it can also be a fruitless and frustrating one. Analysts are only likely to find something useful one percent of the time, so they usually don't get to answer their boss' question or feel the emotional satisfaction that comes with finding the threat they're looking for. To reiterate: Most hunt activities from broadly produced intel result in no findings on an unrelated network—but who wants to take that risk by not fully triaging a report?
The third question can possibly be answered by going to a vendor directly for information. However, it's usually not that simple. Factors that can influence whether or not a product can detect a specific threat include how it's configured, the level of service a SOC paid for, whether it's in block vs alert mode or if it got a particular signature pack at the right time.
This means SOCs will need to simulate threats to test the tools they use for protection. It can be a painstaking process that involves testing hashes in a controlled environment, monitoring whether or not the detection and response program flags them and observing detection responses.
Why Most Organizations Fail At This
Attempting to answer the question, 'Did you see this?' is often unsuccessful, despite SOC professionals' best efforts. This is generally because there's not a single place they can go to understand the enterprise's potential exposure—akin to a Google search for enterprise tools. Most enterprises can't search their SharePoint and JIRA in one place, much less the 50 security vendors large enterprises use on average. Without a centralized search or correlation engine, this tool sprawl leaves analysts manually searching logs across multiple platforms. And in this case, even the strongest analyst intuition may not be enough to overcome this challenge.
Recommendations For Business And Security Leaders
Cybersecurity threats come and go quickly, so there are going to be many times when the boss comes to the SOC asking those four words. Businesses and security leaders can make threat hunting easier by first finding out from the SOC team how long it takes to check the environment for the indicators of compromise from a threat report. Based on that answer, companies can implement several solutions.
For example, they can ensure that logs and telemetry are readily accessible to the SOC, so analysts are not just relying on alerts. Also, a company can invest in technology that allows real-time threat validation across alerts and logs, thus saving time. In addition, automating indicator extraction and federated search, consolidating visibility into a single location, and utilizing live testing and simulation capabilities in-house can make the threat detection process much smoother.
'Did you see this?' is a common question that SOC professionals hear—and it can lead to going down rabbit holes that turn out to be empty. As a result, this isn't the only question business leaders need to be asking their analysts to get the most robust answers. Instead, leaders can also ask SOCs, 'How quickly can we confirm, defend and adapt?' when it comes to a specific cybersecurity threat. This helps to make the SOC more proactive than reactive, while ensuring the organization is more resilient when threats do occur.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
