Analytics // Threat Intelligence
6/3/2013
07:16 AM
Quick Hits
Quick Hits
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Strengthening Enterprise Defenses With Threat Intelligence

By integrating security monitoring with threat intelligence, organizations can build a smarter defense

[The following is excerpted from "Strengthening Enterprise Defenses With Threat Intelligence," a new report published this week on Dark Reading's Security Monitoring Tech Center.]

Threat intelligence is emerging as a topic of both interest and debate within the infosec community. The fact that there's interest probably isn't hard to understand in light of the growing volume of security related information organizations receive.

For the average security practitioner, information about threats arrives in a nearly constant stream via a hodgepodge of formats and channels -- emails from vendors, bulletins from a variety of sources, word of mouth from colleagues, news updates from the industry press and so on. The information supplied via these various updates covers a number of disparate topics, from specific vulnerability information to attacker tools and techniques to information about who's been attacked most recently.

Given this barrage, anything that promises to assist in navigating this information -- and making it more actionable -- is going to be of interest.

However, there's also some debate. While some industry pros view threat intelligence as a critical component of their security program, others think it's just another industry fad with comparatively little value.

Advocates of threat intelligence say that only by understanding the motives, methods and actions of attackers can we effectively defend against them; skeptics say security is all aboutthe fundamentals, and that anything that distracts from those fundamentals is noise.

Who's right? Both camps are. As with most things, value is subjective and mileage will vary from organization to organization. This is based in large part on organization-specific factors, including how it defines threat intelligence, the data the organization evaluates, the maturity of the shop in question and the use cases for the data.

Chief among the value considerations is integration with existing data and processes -- meaning, the value threat intelligence will or won't have depends on the degree to which it's integrated into other security-related processes and data.

Data that is reconciled with internal information and used directly to support existing processes is likely to be useful. Data that is siloed among a closed community (or that's "shunted" to places where operational staff can't make use of it) won't be useful.

As threat intelligence data proliferates and becomes more useful, some vendors are beginning to tie that data more closely to their internal security monitoring, which is often doen through security information and event monitoring (SIEM) systems. Security vendor Vigilant, for example, has created a set of tools that integrate SIEM with more than 40 different sources of threat intelligence, enabling enterprises to view both the external threat and its potential impact on internal security posture.

In terms of tactical integration, the goal isn't to replace other controls. Recall that most security organizations have already invested (in some cases heavily) in internally focused security capabilities and protection mechanisms. The goal is to funnel threat intelligence to these tools in order for them to function more effectively.

To read more about how organizations can tie threat intelligence to their internal security systems -- particularly security monitoring tools -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2012-0871
Published: 2014-04-18
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

CVE-2012-6646
Published: 2014-04-18
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

CVE-2013-4279
Published: 2014-04-18
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

Best of the Web