Threat intelligence needs to grow up

Security teams are overwhelmed with a massive amount of threat data. While a decade ago no one was talking about threat intelligence except government agencies, organizations are now bombarded with threat data leaving them challenged with identifying what is relevant.

Aggregating that data requires a shift in mindset and a maturing of threat intelligence in order to better mitigate risks.

Experts say that collecting data for the purposes of having data does no good and can actually detract from a security intelligence program by using up time and man power to analyze data that is most often noise rather than real indicators of threat.

If the long-term goal of enterprises is to have mature threat intelligence programs, they need to conduct an internal risk assessment and design a plan of action.

Tomer Schwartz, director of security research, Adallom Labs noted, "Threat intelligence is not looking at all the data. Threat intelligence is new, and products are changing. Understanding that just plugging in to a product is not going to help is critical. Threat intelligence is about getting as much data as we can, not just current data for a current threat."

Ignoring historical data overlooks a wealth of information that can inform a security program and enable an enterprise to defend against a wider range of incidents. Schwartz said, "In the current state of security, attackers are going to succeed. The correlation with new data and historical data is not happening enough and enterprises are afraid of collaboration."

The answer is not to throw money at a problem, but to inform themselves about the different platforms that will serve the needs of their specific environments.

Most security teams can't make valuable use of their threat data because there is just too much of it. The brain power needed to analyze at the speed at which the data is produced is humanly impossible.

"Humans can't ingest the data at a rate that is meaningful," said Anne Bonaparte, CEO, BrightPoint.

"There are a lot of new avenues for threat data to be disseminated. The challenge and opportunity is the deluge of information. It's become a classic big data problem because humans can't ingest at a rate that's meaningful."

This deluge of data often leaves security analysts floundering.

Commercial vendors, including ThreatQuotient, TruSTAR, BrightPoint, Webroot, Norse, and Adollom all agreed that threat intelligence has become a dig data problem.

Threat intelligence is only valuable if a security analyst can make use of the data, and programs that produce lengthy reports do little to move threat intelligence forward.

Trying to whittle down hundreds of millions of data points to identify the thousands that matter requires a lot of time and man power. Sam Glines, CEO of Norse, said, "If you have a 10 page comprehensive report that tells you all of your vulnerabilities, the second that report is printed, it's outdated."

"Threat intelligence," added Glines, "is also internal threats, not just rogue employees but machines and devices that are rogue. It's also employees that don't know any better." Enterprises need to do an internal audit to understand their internal and external vulnerabilities because they can't protect themselves if they don't know what they are protecting against.

"It's important to understand the attack life cycle, and there are free and open source information feeds out there. The problem with open source feeds is that they provide a lot of information that is not always valuable."

More boutique vendors will be able to provide companies with more valuable and accurate information that will assess intelligence and invest appropriately based on customer needs.

With all of the vulnerabilities and transitions that are happening in cyber security, particularly as enterprises rely more on cloud service provides and deal with changing infrastructures, some companies may not be ready to focus on a risk assessment. Glines also said, "Vendors can work a lot faster if the risk assessment has already been done and a plan is in place."

As companies continue to move to the cloud, threat indicators are changing, so how can enterprises boost threat intelligence and mitigate risks?

Glines said, "Companies need to understand that what is most important is data and securing that data. Align programs around assets that are the highest priority. Know where my high risk data resides." More importantly, companies should understand that not all data is valuable. Glines advised, "Assess intelligence and invest appropriately based on need. It is not efficient to just throw technology at a problem."

Knowing their environment will also allow them to recognize anomalies in behavior, and behavior analysis is a valuable piece of threat intelligence. Mike Banic vice president of marketing, and Wade Williamson, product marketing director at Vectra, said "Indicators are things that you are not familiar with. They are going to start the game new, fresh, with things that have never been seen. It's not what malware is, it's what the malware does. Actions that the malware took are what's important."

Grayson Milbourne, security intelligence director at Webroot, said, "Authors understand that to defend against something it needs to be observed at least one time. Someone has to see what you are doing to know how to defend against that." One of the greatest challenges in trying to defend against grand scale attacks is that once a signature has been identified and shared, the bad guys have created a new application.

Sharing signature information on large scale commodity attacks can help to minimize vulnerabilities and knock out larger threats. If enterprises are able to find an intruder in their active phases, they have a greater chance of stopping the criminals before data is stolen.

Bonaparte advised, "Compare with what's going on in your enterprise and communities of interest. Take advantage of knowledge in vertical communities and supply chains and access what's going on behind the scenes to identify the relevant data to your context and environment."

Knowledge is power is not a hackneyed expression that should be ignored when looking at threat intelligence. Milbourne said, "The more they are aware, they more likely they are not to fall victim. Security awareness is often more cost effective, and it's a fundamental part of security intelligence."

What's most important for all enterprises is to be aware of what matters to their own environments. Sharing threat intelligence information is helpful in identifying known risks, but Milbourne said, "We need to be looking at how often these threats are encountered in the world. Eighty percent of threats aren't even prevalent anymore." Educating themselves about the services available and having a tailored threat intelligence program specific to the needs of their environments will help.

As more industries identify more needs, threat intelligence will continue to grow and evolve to meet the needs of enterprises. Ryan Trost, managing principal, ThreatQuotient said, "Threat Intelligence needs to cater to the masses, which it doesn't right now. Enterprises need sources, and once they have sources, they need a platform to store and manage their data."

If enterprises are shopping around for vendors, scoring is a tool that will personalize the platform. Trost said, "Moving forward, scoring will be critical. It should be from a customer centric perspective, not an embedded intelligence score."

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsAdallomsoftwaredata protection

More about Threat IntelligenceWebroot

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts