08:50 PM

Threat Intelligence Brings Dynamic Decisions To Risk Management

As enterprises bring threat intelligence feeds into risk management equations, they could gain a greater fluidity in risk-based decision-making

If risk management is governed by the age-old risk equation -- Risk = Threat x Vulnerability x Asset Value -- then it would follow that the accuracy of each of those attendant variables can make or break an enterprise's IT risk management practice. The security industry has done a lot to hone in on metrics that delineate the latter two: CVSS scoring and countless studies measuring the cost of breaches around specific IT assets have helped risk managers better get their arms around that particular part of the equation. The real sticking point has always been the problem of measuring and tracking the threats.

The threat landscape is so mercurial and threats so dependent on dozens of their own variables that finding a way to measure the probability of a threat hitting its mark can seem a bit of a crapshoot. But that's changing as risk management experts start to depend on the burgeoning market of threat intelligence services to deliver enough real-time information about threats in the wild to make more dynamic risk calculations that allow for the kind of fluid decision-making that can more accurately be described as risk-based security rather than guess-based security.

[Wish you could tell your CEO, 'I told you so'? You're not alone. See Airing Out Security's Dirty Laundry.]

"The way we look at it today, it's an important piece of security data," says J.B. O'Kane, principal consultant for risk management vendor Vigilant, of threat probability. "A lot of vendors are providing threat intelligence feeds, and when we look at the larger space of security data and analytics, it's an important piece of the larger risk management equation."

In years past, only the largest and most mature of enterprises could get a decent lock on the frequency and flavor of the threats knocking at their doors enough to base actionable risk decisions on them. Other organizations simply did not see the volume of cyberthreats or have the resources necessary to analyze those threats to develop usable intelligence around trending attacks. As security companies have built up practices over the past few years to deliver that intelligence, risk managers are just now starting to see how they can leverage these feeds.

"I think organizations great and small can benefit from intelligence feeds, if for no other reason than most organizations don't have the time, energy, or resources to plot and set their own research and intelligence initiatives," says Will Gragido, senior manager of the RSA FirstWatch Advanced Research Intelligence team at RSA NetWitness. "They need to be able to depend on a party or multiple parties to provide the insight into the threat landscape that they themselves don't have."

When organizations do it right, they can base their remediation prioritization of vulnerabilities not just on the vulnerability severity, but how that is tied to or paired with threat frequency and severity, O'Kane says.

"Coming up with a threat-vulnerability pairing can help you hone in on a risk-based approach," O'Kane says. "If the feed is coming in saying you're exposed to these threats, you start to narrow things down and turn the threats and vulnerabilities into pairs so that now they're decision nodes. Now you're getting closer and closer to understanding the true risk that you might be exposed to."

Srinivas Kumar, CTO of TaaSERA, agrees that active intelligence will help drive innovation in IT services, improving early warning and remediation of coordinated and targeted attacks. But it will take equally coordinated efforts to actually integrate threat intelligence into the fabric of today's risk management and security ops practices.

"Threat intelligence is basically the vehicle that helps IT to define all of the security controls to the extent that security controls will accept the threat intelligence," he says. "At the end of the day, there are many security controls they're invested in. They need to have something that's coordinating all of these controls together. Without coordinating, it's going to be difficult to deal with active monitoring."

There are other challenges, as well. For example, some threat feeds are better than others, O'Kane says.

"What's a little different is that it's a little closer to the problem or the problem space [than vulnerability or cost of breach information]. It's near real-time, where the information is a little fresher," he says. "Feeds can vary in their data quality. Some are good feeds, some are bad, some have a lot of error built in. Some have a lot of overlap with other feeds, and so removing that redundancy is always a challenge."

Additionally, finding a way to take the data from the feed and turn it into some sort of metric that can be plugged into the risk formula will take work from both vendors and practitioners, O'Kane says.

He says that his firm and others are trying to improve the accuracy of threat scoring, not only offering a score on the severity of the threat, but also a confidence score on the accuracy of that severity.

"So the severity could be, on a scale of 1 to 10, an 8 severity; however, based on our research, our confidence in that severity score could be 60 percent," he says. "When you have more pieces of information for validation that, yes, this is truly a bad site, in fact we've captured some code from that site, that's where you have a higher degree of confidence in that severity score."

As the industry dives further into leveraging threat intelligence to make risk-based decisions, Kumar believes there may even be calls for more standardized scoring, similar to what NIST and MITRE do with vulnerabilities.

"In the same way, NIST or some entity has to expand beyond what they do today with vulnerabilities out to attacks," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
2/14/2013 | 5:14:44 AM
re: Threat Intelligence Brings Dynamic Decisions To Risk Management
I think there's a real opportunity to measure risk more accurately by factoring in the increasingly accurate threat data that is being collected and disseminated these days.- Is anyone out there factoring threat data into their risk equation?
--Tim Wilson, editor, Dark Reading
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.