Threat intelligence needs to grow up
Aggregating that data requires a shift in mindset and a maturing of threat intelligence in order to better mitigate risks.
Experts say that collecting data for the purposes of having data does no good and can actually detract from a security intelligence program by using up time and man power to analyze data that is most often noise rather than real indicators of threat.
If the long-term goal of enterprises is to have mature threat intelligence programs, they need to conduct an internal risk assessment and design a plan of action.
Tomer Schwartz, director of security research, Adallom Labs noted, “Threat intelligence is not looking at all the data. Threat intelligence is new, and products are changing. Understanding that just plugging in to a product is not going to help is critical. Threat intelligence is about getting as much data as we can, not just current data for a current threat.”
Ignoring historical data overlooks a wealth of information that can inform a security program and enable an enterprise to defend against a wider range of incidents. Schwartz said, “In the current state of security, attackers are going to succeed. The correlation with new data and historical data is not happening enough and enterprises are afraid of collaboration.”
The answer is not to throw money at a problem, but to inform themselves about the different platforms that will serve the needs of their specific environments.
Most security teams can’t make valuable use of their threat data because there is just too much of it. The brain power needed to analyze at the speed at which the data is produced is humanly impossible.
“Humans can’t ingest the data at a rate that is meaningful,” said Anne Bonaparte, CEO, BrightPoint.
“There are a lot of new avenues for threat data to be disseminated. The challenge and opportunity is the deluge of information. It’s become a classic big data problem because humans can’t ingest at a rate that’s meaningful.”
This deluge of data often leaves security analysts floundering.
Commercial vendors, including ThreatQuotient, TruSTAR, BrightPoint, Webroot, Norse, and Adollom all agreed that threat intelligence has become a dig data problem.
Threat intelligence is only valuable if a security analyst can make use of the data, and programs that produce lengthy reports do little to move threat intelligence forward.
Trying to whittle down hundreds of millions of data points to identify the thousands that matter requires a lot of time and man power. Sam Glines, CEO of Norse, said, “If you have a 10 page comprehensive report that tells you all of your vulnerabilities, the second that report is printed, it’s outdated.”
“Threat intelligence,” added Glines, “is also internal threats, not just rogue employees but machines and devices that are rogue. It’s also employees that don’t know any better.” Enterprises need to do an internal audit to understand their internal and external vulnerabilities because they can’t protect themselves if they don’t know what they are protecting against.
“It’s important to understand the attack life cycle, and there are free and open source information feeds out there. The problem with open source feeds is that they provide a lot of information that is not always valuable.”
More boutique vendors will be able to provide companies with more valuable and accurate information that will assess intelligence and invest appropriately based on customer needs.
With all of the vulnerabilities and transitions that are happening in cyber security, particularly as enterprises rely more on cloud service provides and deal with changing infrastructures, some companies may not be ready to focus on a risk assessment. Glines also said, “Vendors can work a lot faster if the risk assessment has already been done and a plan is in place.”
As companies continue to move to the cloud, threat indicators are changing, so how can enterprises boost threat intelligence and mitigate risks
Glines said, “Companies need to understand that what is most important is data and securing that data. Align programs around assets that are the highest priority. Know where my high risk data resides.” More importantly, companies should understand that not all data is valuable. Glines advised, “Assess intelligence and invest appropriately based on need. It is not efficient to just throw technology at a problem.”
Sam Glines, CEO of Norse
Knowing their environment will also allow them to recognize anomalies in behavior, and behavior analysis is a valuable piece of threat intelligence. Mike Banic vice president of marketing, and Wade Williamson, product marketing director at Vectra, said “Indicators are things that you are not familiar with. They are going to start the game new, fresh, with things that have never been seen. It’s not what malware is, it’s what the malware does. Actions that the malware took are what’s important.”
Grayson Milbourne, security intelligence director at Webroot, said, “Authors understand that to defend against something it needs to be observed at least one time. Someone has to see what you are doing to know how to defend against that.” One of the greatest challenges in trying to defend against grand scale attacks is that once a signature has been identified and shared, the bad guys have created a new application.
Sharing signature information on large scale commodity attacks can help to minimize vulnerabilities and knock out larger threats. If enterprises are able to find an intruder in their active phases, they have a greater chance of stopping the criminals before data is stolen.
Bonaparte advised, “Compare with what’s going on in your enterprise and communities of interest. Take advantage of knowledge in vertical communities and supply chains and access what’s going on behind the scenes to identify the relevant data to your context and environment.”
Knowledge is power is not a hackneyed expression that should be ignored when looking at threat intelligence. Milbourne said, “The more they are aware, they more likely they are not to fall victim. Security awareness is often more cost effective, and it’s a fundamental part of security intelligence.”
What’s most important for all enterprises is to be aware of what matters to their own environments. Sharing threat intelligence information is helpful in identifying known risks, but Milbourne said, “We need to be looking at how often these threats are encountered in the world. Eighty percent of threats aren’t even prevalent anymore.” Educating themselves about the services available and having a tailored threat intelligence program specific to the needs of their environments will help.
As more industries identify more needs, threat intelligence will continue to grow and evolve to meet the needs of enterprises. Ryan Trost, managing principal, ThreatQuotient said, “Threat Intelligence needs to cater to the masses, which it doesn’t right now. Enterprises need sources, and once they have sources, they need a platform to store and manage their data.”
If enterprises are shopping around for vendors, scoring is a tool that will personalize the platform. Trost said, “Moving forward, scoring will be critical. It should be from a customer centric perspective, not an embedded intelligence score.”