11:28 AM
Wendy Nather
Wendy Nather

Threat Intelligence Hype

How to measure the IQ of the data you're being fed

Now that we've talked a bit about analytics, I'd like to take on the other thriving buzzword: intelligence -- specifically, threat intelligence, which seems to be part of every security product these days.

What is threat intelligence? First of all, a threat is something that or someone who could exploit your vulnerabilities. It is not the vulnerability itself. A threat could be a person launching an attack, a backhoe near your network cables, a squirrel that likes to chew on insulation, or even a hurricane. It could be the malware that infects your system, the developer who thought it was a good idea to send one email alert for each log event through your Exchange server, or the auditor who may tarnish your good name with a material finding.

Intelligence, on the other hand, varies widely. I have seen the term used to describe the correlated logs in a SIEM (as if simply knowing what was going on in your network was intelligent enough). It is sometimes used to refer to the collection of event data from more than one enterprise; many vendors do this when they receive this data from their products installed at customer sites. Taking this a step further, many security companies have researchers on staff who try to find out what the newest attacks are, which systems they're targeting, and what vectors they're using. All of these types are "intelligence" based on knowing what's happening out there, beyond your own perimeter.

Besides the "what," "where," and "when," there's the "how." Threat intelligence can include the techniques and technology being used in attacks, the critical factors that mean success or failure, or the timing, location, and sources. This is more than just describing what happened; it's information on how to identify it and how to respond to it.

The "who" and the "why" are in the last tier of threat intelligence, and finding out motivation is often easier than attribution. Not many companies are willing to connect attacks and specific actors with a lot of confidence (unless, of course, you have a smoking gun in the form of an insider). But motivation and attribution are very important for organizations that need to prioritize their activities to deal with the most likely threats, particularly if they're concerned about targeted attacks; they're also crucial for law enforcement if they're to investigate these crimes.

What really brings this data to the level of intelligence is not just describing what you get out of customer logs, honeypots, sinkholes, and mailing lists. It's putting together the disparate sources of data and adding more valuable information: which families of malware could be stopped most effectively with limited countermeasures; which kinds of targets are favored by different attacker groups; how to tell who really attacked you (not just who claimed the credit); and how reliable the information is that you've received.

This is where the rubber meets the road, and this is what you should be expecting from anyone who is offering "threat intelligence." It's not enough just to tell you in detail what has already happened. If it's not helping you make decisions, or be proactive, then it's not worth paying extra for it.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy. Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/20/2012 | 11:20:35 AM
re: Threat Intelligence Hype
SIEM products and providers have certainly jumped on the intelligence concept, where in reality it's a much broader subject, as you mention, covering different security components - many of which may actually be isolated from the SIEM environment. -Thinking things like HR turnover data, internal business projects, social media output and so on. -All can contribute to the infosec 'intel' pre and post incident analysis phase.
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Title Partners Role in Perimeter Security
Title Partners Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.