Risk
2/6/2013
08:50 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Threat Intelligence Brings Dynamic Decisions To Risk Management

As enterprises bring threat intelligence feeds into risk management equations, they could gain a greater fluidity in risk-based decision-making

If risk management is governed by the age-old risk equation -- Risk = Threat x Vulnerability x Asset Value -- then it would follow that the accuracy of each of those attendant variables can make or break an enterprise's IT risk management practice. The security industry has done a lot to hone in on metrics that delineate the latter two: CVSS scoring and countless studies measuring the cost of breaches around specific IT assets have helped risk managers better get their arms around that particular part of the equation. The real sticking point has always been the problem of measuring and tracking the threats.

The threat landscape is so mercurial and threats so dependent on dozens of their own variables that finding a way to measure the probability of a threat hitting its mark can seem a bit of a crapshoot. But that's changing as risk management experts start to depend on the burgeoning market of threat intelligence services to deliver enough real-time information about threats in the wild to make more dynamic risk calculations that allow for the kind of fluid decision-making that can more accurately be described as risk-based security rather than guess-based security.

[Wish you could tell your CEO, 'I told you so'? You're not alone. See Airing Out Security's Dirty Laundry.]

"The way we look at it today, it's an important piece of security data," says J.B. O'Kane, principal consultant for risk management vendor Vigilant, of threat probability. "A lot of vendors are providing threat intelligence feeds, and when we look at the larger space of security data and analytics, it's an important piece of the larger risk management equation."

In years past, only the largest and most mature of enterprises could get a decent lock on the frequency and flavor of the threats knocking at their doors enough to base actionable risk decisions on them. Other organizations simply did not see the volume of cyberthreats or have the resources necessary to analyze those threats to develop usable intelligence around trending attacks. As security companies have built up practices over the past few years to deliver that intelligence, risk managers are just now starting to see how they can leverage these feeds.

"I think organizations great and small can benefit from intelligence feeds, if for no other reason than most organizations don't have the time, energy, or resources to plot and set their own research and intelligence initiatives," says Will Gragido, senior manager of the RSA FirstWatch Advanced Research Intelligence team at RSA NetWitness. "They need to be able to depend on a party or multiple parties to provide the insight into the threat landscape that they themselves don't have."

When organizations do it right, they can base their remediation prioritization of vulnerabilities not just on the vulnerability severity, but how that is tied to or paired with threat frequency and severity, O'Kane says.

"Coming up with a threat-vulnerability pairing can help you hone in on a risk-based approach," O'Kane says. "If the feed is coming in saying you're exposed to these threats, you start to narrow things down and turn the threats and vulnerabilities into pairs so that now they're decision nodes. Now you're getting closer and closer to understanding the true risk that you might be exposed to."

Srinivas Kumar, CTO of TaaSERA, agrees that active intelligence will help drive innovation in IT services, improving early warning and remediation of coordinated and targeted attacks. But it will take equally coordinated efforts to actually integrate threat intelligence into the fabric of today's risk management and security ops practices.

"Threat intelligence is basically the vehicle that helps IT to define all of the security controls to the extent that security controls will accept the threat intelligence," he says. "At the end of the day, there are many security controls they're invested in. They need to have something that's coordinating all of these controls together. Without coordinating, it's going to be difficult to deal with active monitoring."

There are other challenges, as well. For example, some threat feeds are better than others, O'Kane says.

"What's a little different is that it's a little closer to the problem or the problem space [than vulnerability or cost of breach information]. It's near real-time, where the information is a little fresher," he says. "Feeds can vary in their data quality. Some are good feeds, some are bad, some have a lot of error built in. Some have a lot of overlap with other feeds, and so removing that redundancy is always a challenge."

Additionally, finding a way to take the data from the feed and turn it into some sort of metric that can be plugged into the risk formula will take work from both vendors and practitioners, O'Kane says.

He says that his firm and others are trying to improve the accuracy of threat scoring, not only offering a score on the severity of the threat, but also a confidence score on the accuracy of that severity.

"So the severity could be, on a scale of 1 to 10, an 8 severity; however, based on our research, our confidence in that severity score could be 60 percent," he says. "When you have more pieces of information for validation that, yes, this is truly a bad site, in fact we've captured some code from that site, that's where you have a higher degree of confidence in that severity score."

As the industry dives further into leveraging threat intelligence to make risk-based decisions, Kumar believes there may even be calls for more standardized scoring, similar to what NIST and MITRE do with vulnerabilities.

"In the same way, NIST or some entity has to expand beyond what they do today with vulnerabilities out to attacks," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
2/14/2013 | 5:14:44 AM
re: Threat Intelligence Brings Dynamic Decisions To Risk Management
I think there's a real opportunity to measure risk more accurately by factoring in the increasingly accurate threat data that is being collected and disseminated these days.-Š Is anyone out there factoring threat data into their risk equation?
--Tim Wilson, editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web