💡 Want to know @cosive's idea of the 7 best practices for #MISP? Our CTO Chris Horsley writes about it in our latest blog "7 MISP Best Practices: Lessons from Effective Threat Intel Teams"
TL;DR in this thread 👇
#MISP #CloudMISP #ThreatIntel #threatintelligence
1. Carefully upgrade MISP to the latest release as soon as possible: MISP has a very high throughput of releases, about 12 - 15 per year. As with any piece of software, those updates could be security releases.
⚠️ BUT upgrading MISP isn’t always as simple as pressing a button. For all their benefits, upgrades can introduce new behaviour and changes that may impact existing workflows. Upgrade in a non production environment and test first before deploying.
2. Implement robust monitoring and maintenance: MISP needs things like logging, disaster recovery, perhaps even high availability.
🚧 The best threat intel teams run MISP like they’d run any important production system: on a scaffold of monitoring and regular maintenance.
3. Avoid the volume trap by focusing on high-quality data: It’s easy to think that a higher volume of threat intel equals more visibility over threats.
🧠 But a lot of that threat intelligence may be poor quality in terms of detection.
4. Remember that the tools ultimately exist to serve analysts: A lot of organisations are putting money into tooling. Being able to house, process, and automate a lot of this data processing is important.
🤓 But it has to be done in the service of analysts.
5. Have a clear triage process for your analysts: Some MISP workflows can be fully automated. For others, you need to have an analyst in the loop.
🫣 Having a clear triage process can help you decide what can be totally automated, and what requires analyst oversight.
6. Define your threat intel products: Threat intel products are use cases for threat intel within your organisation that produce a beneficial business outcome.
🤯 Using threat intel to inform strategic decisions is another potential threat intel product.
⚠️ For threat intel to be useful to the SOC, the executives, and other consumers of the information, you need to understand what they do on their side of the fence to make the organisation safer.
7. Automate as much as possible with machine-to-machine feeds: Threat intel about how a hack happened six months ago has some value, but far less value than if we can get the defences in place within a day or two.
🔚 Final Words: In many ways, the quality and usefulness of a tool is defined by the effort put into maintaining it.
If your team needs help to keep MISP running reliably, check out #CloudMISP, our managed MISP offering.
🎉 You can read the full blog post on our website: https://cosive.com/blog/2022/12/13/7-misp-best-practices-lessons-from-effective-threat-intel-teams
If you have any other best practices you'd like to share, please drop us a comment 👇
