Analytics // Threat Intelligence
6/3/2013
07:16 AM
Dark Reading
Dark Reading
Quick Hits
50%
50%

Strengthening Enterprise Defenses With Threat Intelligence

By integrating security monitoring with threat intelligence, organizations can build a smarter defense

[The following is excerpted from "Strengthening Enterprise Defenses With Threat Intelligence," a new report published this week on Dark Reading's Security Monitoring Tech Center.]

Threat intelligence is emerging as a topic of both interest and debate within the infosec community. The fact that there's interest probably isn't hard to understand in light of the growing volume of security related information organizations receive.

For the average security practitioner, information about threats arrives in a nearly constant stream via a hodgepodge of formats and channels -- emails from vendors, bulletins from a variety of sources, word of mouth from colleagues, news updates from the industry press and so on. The information supplied via these various updates covers a number of disparate topics, from specific vulnerability information to attacker tools and techniques to information about who's been attacked most recently.

Given this barrage, anything that promises to assist in navigating this information -- and making it more actionable -- is going to be of interest.

However, there's also some debate. While some industry pros view threat intelligence as a critical component of their security program, others think it's just another industry fad with comparatively little value.

Advocates of threat intelligence say that only by understanding the motives, methods and actions of attackers can we effectively defend against them; skeptics say security is all aboutthe fundamentals, and that anything that distracts from those fundamentals is noise.

Who's right? Both camps are. As with most things, value is subjective and mileage will vary from organization to organization. This is based in large part on organization-specific factors, including how it defines threat intelligence, the data the organization evaluates, the maturity of the shop in question and the use cases for the data.

Chief among the value considerations is integration with existing data and processes -- meaning, the value threat intelligence will or won't have depends on the degree to which it's integrated into other security-related processes and data.

Data that is reconciled with internal information and used directly to support existing processes is likely to be useful. Data that is siloed among a closed community (or that's "shunted" to places where operational staff can't make use of it) won't be useful.

As threat intelligence data proliferates and becomes more useful, some vendors are beginning to tie that data more closely to their internal security monitoring, which is often doen through security information and event monitoring (SIEM) systems. Security vendor Vigilant, for example, has created a set of tools that integrate SIEM with more than 40 different sources of threat intelligence, enabling enterprises to view both the external threat and its potential impact on internal security posture.

In terms of tactical integration, the goal isn't to replace other controls. Recall that most security organizations have already invested (in some cases heavily) in internally focused security capabilities and protection mechanisms. The goal is to funnel threat intelligence to these tools in order for them to function more effectively.

To read more about how organizations can tie threat intelligence to their internal security systems -- particularly security monitoring tools -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6090
Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix...

CVE-2014-6092
Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

CVE-2015-0113
Published: 2015-04-27
The Jazz help system in IBM Rational Collaborative Lifecycle Management 4.0 through 5.0.2, Rational Quality Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Team Concert 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Requirements Composer 4.0 through 4.0.7, Rational DOORS Next Generation...

CVE-2015-0174
Published: 2015-04-27
The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2015-0175
Published: 2015-04-27
IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.