It seems as though everyone is talking about threat intelligence at the moment. Nearly every security vendor wants to get in on the action and the majority of security operations groups are either being told by their management to get on board with it, or they have attended various security conferences and realised they need to add threat intelligence into their security program for the year.
That said though, the questions most security operations groups always come back with are: What sort of threat intelligence should I get? How do I use it effectively? How is it going to help me? And my favourite one, what actually is threat intelligence?
Gartner has defined threat intelligence as: evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard. By all means, this is a good definition but what does it all mean? And, how can threat intelligence benefit organisations?
Defending a business and its customers against cyber threats starts with understanding what you are up against. Now, that may sound pretty obvious; studying the adversary is a common practice in many situations. In sports, for example, even in nature, it is done all the time.
So why then, when it comes to cyber security, instead of looking outward, have organisations become accustomed to traditional security approaches that start at the perimeter and focus inward? In today’s increasingly connected and digital world it is important to expand this perspective, looking outside the walls of the enterprise, as well as in.
To establish a solid foundation for intelligence-driven enterprise security, what is needed is a way to bring all this global data together in one manageable location, translate it into a uniform format, and correlate it with local data, events, and context. With all the threat data in one place and usable for ingestion, analysis, and exporting, organisations will be well on their way to expanding security perspectives and better defending against cyber threats.
That is where the platform comes in. Threat intelligence platforms, allow security teams to become more proactive and anticipatory by profiling not only the attack, but attackers who rapidly change their tools, techniques, and procedures to evade defensive technologies.
In my experience, a threat intelligence platform that is worth its salt has the potential to help organisations in three key areas: to communicate more effectively, focus resources more efficiently and manage risk more successfully. These are by no means the only areas of an organisation’s security strategy that will feel the benefits, but here are my thoughts on why they are the top three:
At some stage in their career, every CISO or SOC manager will be asked by management, concerned about the latest reported hack: What do you know about it? How does it affect us? What are we doing about it?
Though not explicitly stated, the underlying assumption here is that preventative measures have already been taken to ensure such an attack will not occur on their organisation. This is where a threat intelligence strategy is key, providing individuals with a means of being proactive and ensuring that they’re on top of their cyber security.
As a result, security teams will then be in a position to answer these questions before they are even asked. Leaders also want a way to answer these questions in business terms in order to let management know what is being done by the security operations group. Effective threat intelligence provides all of the information needed to change the conversation from a million events were blocked this month, to ransomware attacks were stopped which would have cost the company £2M.
Effective threat intelligence provides all of the information needed to change the conversation from a million events were blocked this month, to ransomware attacks were stopped which would have cost the company £2M.
On a network, there are only three things security operators need to deal with; noise, nuisance and threats. This noise needs to be filtered out blocking it at the perimeter or detecting it and automatically remediating, threats need to be focused on the real rascals that can negatively impact shareholder value and nuisances need to be determined as simply noise or rather an actual threat that needs to be dealt with accordingly.
On a network, there are only three things security operators need to deal with; noise, nuisance and threats.
An effective threat intelligence platform helps organise the threats and provide the information needed to isolate what really matters. It provides security teams with a means of automatically filtering the noise while also enabling threat intelligence enrichment through an analyst workbench to understand and address the nuisances. In short, a good threat intelligence platform lets an organisation operationalise its approach to cyber security.
An effective threat intelligence platform helps organise the threats and provide the information needed to isolate what really matters.
Once an organisation begins to use threat intelligence to improve communications and focus its resources, it can begin to dive into risk management. A threat intelligence platform lets organisations take a more strategic view of the business critical assets that it needs to protect, the threats that are targeting these assets and the ways in which security teams are going about it, and the countermeasures that are in place. From there, the risk gap can be figured out and turned into a strategic discussion with the board about accepting, transferring or mitigating risk, and the investments required.
Moving forward, I am convinced that threat intelligence will be a deciding factor in the success of many cyber security strategies and it is vital that organisations are staying ahead of the curve by actively looking at how they improve communication, operationalise threat intelligence and manage risk.
For organisations who have already implemented a threat intelligence platform, the most frequently cited challenge is being inundated with threat data and not having a clue where to start. It is clear that the aggregation and sharing of threat data is simply not enough to succeed; threat intelligence platforms need to do more to support the utility of threat intelligence as part of security operations. Without comprehensive context and priority, it can be extremely difficult for security operators and threat analysts to identify a starting point for investigations.
Security operators and threat analysts can now become empowered to operationalise threat intelligence with the fine-tuned controls of a great threat intelligence platform. Threat data can be operational, based on user definition, rather than vendor definition. Teams are able to maintain control over how, when and where intelligence is used.
By Leon Ward, VP Product Management, ThreatQuotient.