Analytics // Threat Intelligence
6/3/2013
07:16 AM
Dark Reading
Dark Reading
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

Strengthening Enterprise Defenses With Threat Intelligence

By integrating security monitoring with threat intelligence, organizations can build a smarter defense

[The following is excerpted from "Strengthening Enterprise Defenses With Threat Intelligence," a new report published this week on Dark Reading's Security Monitoring Tech Center.]

Threat intelligence is emerging as a topic of both interest and debate within the infosec community. The fact that there's interest probably isn't hard to understand in light of the growing volume of security related information organizations receive.

For the average security practitioner, information about threats arrives in a nearly constant stream via a hodgepodge of formats and channels -- emails from vendors, bulletins from a variety of sources, word of mouth from colleagues, news updates from the industry press and so on. The information supplied via these various updates covers a number of disparate topics, from specific vulnerability information to attacker tools and techniques to information about who's been attacked most recently.

Given this barrage, anything that promises to assist in navigating this information -- and making it more actionable -- is going to be of interest.

However, there's also some debate. While some industry pros view threat intelligence as a critical component of their security program, others think it's just another industry fad with comparatively little value.

Advocates of threat intelligence say that only by understanding the motives, methods and actions of attackers can we effectively defend against them; skeptics say security is all aboutthe fundamentals, and that anything that distracts from those fundamentals is noise.

Who's right? Both camps are. As with most things, value is subjective and mileage will vary from organization to organization. This is based in large part on organization-specific factors, including how it defines threat intelligence, the data the organization evaluates, the maturity of the shop in question and the use cases for the data.

Chief among the value considerations is integration with existing data and processes -- meaning, the value threat intelligence will or won't have depends on the degree to which it's integrated into other security-related processes and data.

Data that is reconciled with internal information and used directly to support existing processes is likely to be useful. Data that is siloed among a closed community (or that's "shunted" to places where operational staff can't make use of it) won't be useful.

As threat intelligence data proliferates and becomes more useful, some vendors are beginning to tie that data more closely to their internal security monitoring, which is often doen through security information and event monitoring (SIEM) systems. Security vendor Vigilant, for example, has created a set of tools that integrate SIEM with more than 40 different sources of threat intelligence, enabling enterprises to view both the external threat and its potential impact on internal security posture.

In terms of tactical integration, the goal isn't to replace other controls. Recall that most security organizations have already invested (in some cases heavily) in internally focused security capabilities and protection mechanisms. The goal is to funnel threat intelligence to these tools in order for them to function more effectively.

To read more about how organizations can tie threat intelligence to their internal security systems -- particularly security monitoring tools -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio