Investing in threat intelligence is one thing, but being able to maximize on that threat intelligence to effectively defend against, prioritize and mitigate threats can be a real challenge. In blog #1 of this 3-part series we outlined a few of the key challenges organizations face:
- Lacking sufficient threat context results in slow incident response
- Triaging, prioritizing, and addressing false positive threat indicators
- Hard to overcome gaps in threat intelligence data
- Cannot share data internally in controlled manner
- Deploying and managing threat intelligence data at scale can be problematic
In this blog, I will dive into these in more detail and some tips to help overcome them. You need to be able to get more out of your threat intelligence. Threat intelligence should be an asset, not a liability.
Challenge #1: Lacking sufficient threat context results in slow incident response.
When the security team receives threat alerts from security systems on their network (firewall, Web proxy, IDS, etc.), they need to know what the threat is. Useful data includes any external threat IP/domain/hostname, when it was first discovered, its severity, whether it is an active/inactive threat, and possibly any association with known Threat actors. Of similar value is internal network intelligence such as IP/hostname, associated vulnerabilities, and user. Without having this threat context, it is hard to prioritize the myriads of threats and quickly take action on the most damaging ones. Basically, it’s hard to filter out the “noise”.
- Get visibility into attack surfaces and targeted systems/services by applying threat intelligence to both outbound and inbound connections. Outbound connections include traffic flows through network proxies and next-generation firewalls, and also DNS queries. Inbound connections include traffic flows through application firewalls, Web application logs, web server logs and possibly email.
- Use a threat investigation tool. Ideally, the threat investigation tool aggregates context from multiple high reputation sources and offers an intuitive search engine, to provide an accurate view of the current threat level and the associated indicator of attack or compromise.
Challenge #2: Triaging, prioritizing, and addressing false positive threat indicators
One of the biggest problems with applying threat intelligence to actively “block” threats is the risk of interrupting legitimate connections, thereby impacting business and employee productivity. It is imperative from a threat assessment perspective that security teams are able to determine the severity of events and assess the impact for blocking actions prior to implementation. Likewise, a low false positive level for indicators and alerts is critical, since it may not always be possible to completely avoid false positives. Determining reputation and associated activity or network complexity related to an indicator will aid with triage and may help lower or raise priority.
Tip: Apply high quality threat intelligence to your security systems to aid in properly classifying events and minimize false positive or misclassified events. Also, obtain reports that contain details on the threat, severity and action taken by the system(s). This will help you gauge the effectiveness of your security architecture in taking action on highest impact threats vs. lower priorities.
Challenge #3: Hard to overcome gaps in threat intelligence data.
Since threat intelligence data is often sold or integrated in siloes, organizations often do not have broad enough coverage against threats. Even if they detect and can take action on a threat in one part of their network due to protection from a particular security system (e.g. network firewall or web proxy), they cannot take action on the same threat in other parts of the network that do not have that system deployed. This keeps the organization in a continuously vulnerable state.
Tip: Many Threat Intelligence Platforms can aggregate data from multiple sources, but do not necessarily allow an organization to apply the threat intelligence data to any infrastructure of choice without the individual vendor’s imposed limitations. A solution that can support both data aggregation and distribution is ideal.
Challenge #4: Cannot share data internally in controlled manner
Organizations vary in terms of level of sophistication and comfort when it comes to developing and sharing threat intelligence data. Some want to be able to share externally created and internally created data across their own Enterprise for consistent policy enforcement and broader risk mitigation – to prevent any “gaps” in their risk posture. In some cases, without the ability to easily share data some organizations cannot effectively fulfill data governance (control how, where and what threat intelligence is deployed).
Tip: There aren’t many options available today for easily sharing threat intelligence. In the next blog, we will share how Infoblox can help organizations with this effort.
Challenge #5: Deploying and managing threat intelligence data at scale can be problematic.
This often requires extensive manual effort (people) and time, both of which are scarce resources in most organizations. They really need to be able to apply threat intelligence data to security infrastructure effectively in order to detect threats accurately and take action swiftly, not be bogged down with outdated and hard-to-prioritize data.
- A threat intelligence management system that allows internally and externally (3rd party) sourced data to be aggregated and automatically applied to various security systems in the needed format (e.g. JSON, STIX, CSV, TSV, CEF, etc.) via a customizable API feed is ideal. This gives you the flexibility and ease of deploying threat intelligence data tailored for the specific attacks you need to block using your security systems without having to spend a lot of time and effort.
- Whether you are managing security locally or relying on a Managed Security Services Provider (MSSP), you should know what you are getting from the MSSP and stress that the MSSP follow best practices just as you would if you were locally managing and applying threat intelligence across your infrastructure to mitigate threats.
Look out for the final blog #3 in this series to learn how Infoblox is helping organizations enhance their threat intelligence investments.