Evolving from a SOC to a Fusion Center for Improved Threat Intelligence

  • All Posts
  • 9 months ago
  • 3 min read
evolving from a SOC to a fusion center

Sharing intelligence horizontally and vertically between state, local, tribal, territorial (SLTT), and federal agencies is a critical defense strategy in this unprecedented age of cyberattacks. Although it sounds similar to an enterprise’s Security Operations Center (SOC), a Fusion Center differs in how threat intelligence across agency borders is gathered and operationalized across security controls.

According to the Fusion Center Foundational Guidelines, every public safety entity, law enforcement agency, and private sector official involved in threat intelligence and information gathering has a stake in this initiative.

The primary goal of the state-owned network of fusion centers are:

  • Creating an environment for the efficient and effective exchange of information and intelligence
  • Maximize the use of resources and streamline operations relating to threat intelligence
  • Enhance governmental capabilities to fight crime and terrorism by merging datasets from multiple sources

Fusion centers face similar challenges as SOCs, where the amount of information available impedes incident investigation due to the overwhelming amount of data to wade through. However, the collaborative heartbeat that’s foundational to the concept of a fusion center is reshaping how enterprises think about their threat intelligence and how they make security-centric decisions.

Why Enterprises Are Evolving from SOCs toward Fusion Centers

The concept of a fusion center is to merge multiple sources of information for higher fidelity in alerts and enable quicker responses to incidents. A fusion center unifies security functions and places them under the responsibility of an operational group that integrates, manages, and responds to threats with a single, concerted effort.

Typically, the fusion center is responsible for:

  • Orchestration and automation of security-related technologies
  • Data acquisition and contextual analysis of incident alerts
  • Response planning and threat intelligence gathering from all operational activities

Directors of cyber fusion centers aim to bridge the gap between operational functions (IT and cybersecurity) and critical safety elements by facilitating collaboration and communication between all stakeholders. The result is improved operational effectiveness and a proactive approach to threat intelligence that reduces the risk perimeter.

How Spyderbat Accelerates Fusion Center Operations

Alert-based security operation processes are challenged by contextualizing data into actionable insights. Spyderbat enhances existing security investments by maintaining a real-time Universal Causal Graph, that places all activities in context by their causal relationships. Unusual activities, or known MITRE ATT&CK techniques, are flagged on this graph as they occur, with immediate contextual visibility across the relationships between user sessions, processes, and network activity. The graph gathers and collates real-time data into actionable intelligence across all operational functions by reducing noise and instead honing  analysts to real, emerging attacks.

With the graph, Spyderbat traces (including third-party alerts) the full sequence of attacker activity back to root cause. This recognizes real attacks with high fidelity by automatically corroborating threat evidence together across network and system activities, focusing analysts on only meaningful and contextualized threats. This automated filtering of noise to only show actual attack activity is an essential part of a fusion center’s responsibility for maintaining a secure perimeter across the organization.

Increase Threat Intelligence in Fusion Centers with Contextualized Events

By continuously collating information across all systems, processes, and network activities into a single, Universal Causal Graph, Spyderbat enables fusion center directors to reduce their analysts’ alert fatigue and respond effectively to emerging threats. Threat intelligence data is seen in context with prior and subsequent activity, enabling full visibility and mitigation to all attacker activity, including backdoors, compromised accounts, or other forms of persistence, often missed in standard investigations. 

To see Spyderbat in action, schedule your demo here.

Write a comment

Inline Feedbacks
View all comments


Use cases