You cannot effectively mitigate cyber threats without threat intelligence.
If you think organizations are covered when it comes to using threat intelligence to counter cyberthreats, think again. Although enterprises have invested in multiple security systems and technologies, most lack the resources, time and tools to really understand and prioritize threats.
What is threat intelligence?
According to Gartner, “Threat intelligence is evidence-based knowledge (e.g., context, mechanisms, indicators, implications and action-oriented advice) about existing or emerging menaces or hazards to assets.”
A key point is that threat intelligence is not simply data and information – threat intelligence provides context. Without context on threat type/category, when a threat was discovered, and the source (e.g. geographic origin), it can be difficult for a security team to prioritize threat indicators and create effective security policies for taking action on existing and emerging threats. Also, investigation of threats is contingent upon being able to obtain context.
Who is creating and using threat intelligence?
Historically, government and defense have invested the most to create, use and also distribute threat intelligence data (in a controlled manner). From a private sector perspective, verticals such as financial services, healthcare, retail and technology are leveraging threat intelligence data to understand and act on threats. They typically transact sensitive data (financial, personal) and stand to lose a lot of money (legal, financial costs) if they suffer from a data breach. However, generally speaking, any organization that is using security technologies such as firewall, antivirus and others is using threat intelligence data because these technologies apply threat intelligence data to operate.
What are the benefits of threat intelligence?
There are several potential benefits of threat intelligence, including:
- Rich threat context for faster prioritization and threat response: Given that there are multiple alerts from sources such as SIEM, firewall and other tools, Security Ops and Incident Response teams need to be able to quickly understand which threats to tackle first. Threat intelligence provides these teams the necessary context (what the threat is/category, when it was first discovered, severity level, etc.).
- Streamline security operations resources: With the shortage in cyber security skilled professionals (http://www.informationweek.com/strategic-cio/security-and-risk-strategy/cyber-security-skills-shorta…) and looming threat of a data breach, organizations cannot depend on scarce security resources to be constantly “on top of their game” in deflecting threats. By deploying threat intelligence on various security systems (e.g. firewall) and network control points (e.g., DNS Firewall), that is both reliable and automatically refreshed by the threat intelligence provider itself, organizations aren’t at the “mercy of” scarce security resources who are here today, but may be gone tomorrow.
- Leverage network intelligence to identify infected devices and targeted users: DNS, DHCP and IP Address Management (DDI) services provide critical, actionable network intelligence such as the devices used by, IP addresses assigned to and web sites visited by users. By tracking user behavior over time, the security team can create a profile of “normal” user behavior to use as a baseline and then alert and flag any deviations from that profile which may be indicative of suspicious or rogue activity. Combining network and user context with threat intelligence (e.g. device is trying to connect to a “ransomware C&C” server) helps organizations quickly identify infected devices and the users being targeted.
Unfortunately, despite the potential benefits of threat intelligence, organizations also face some key challenges, including:
- Lacking sufficient threat context results in slow incident response. It is very challenging to get enough context to understand and prioritize alerts that organizations have received from various security technologies (e.g. firewall, SIEM). Also, typically threat research and context gathering requires SOC/security analysts/researchers to use multiple tools and takes a lot of time.
- Triaging (deprioritizing) false positive threat indicators. It is critical to be able to quickly learn about the top threat indicators that would cause the most damage to the organization if not addressed. Essentially, you want to filter out the “noise” and false positives and instead focus on high impact threats.
- Overcoming gaps in threat intelligence data. Since threat intelligence data is sold and operates in siloes, typically organizations don’t have broad enough coverage against threats. Ideally, you would be able to centrally aggregate and then apply threat intelligence data to any infrastructure of choice without individual threat intelligence vendor imposed limitations.
- Not being able to share data internally in controlled manner. Therefore, organizations cannot effectively fulfill data governance (control how, where and what threat intelligence is deployed).
- Deploying and managing threat intelligence data problematic. This often requires extensive manual effort and time, both of which are scarce resources in most organizations.
We will dive into these challenges in more detail in the 2nd of the 3-part blog series in October. In the meanwhile, you can check out this webinar presented by Sean Tierney, Director of Threat Intelligence at Infoblox, on Making Threat Intelligence Actionable across Your Cybersecurity Infrastructure.