Perimeter
11/16/2012
11:28 AM
Wendy Nather
Wendy Nather
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Threat Intelligence Hype

How to measure the IQ of the data you're being fed

Now that we've talked a bit about analytics, I'd like to take on the other thriving buzzword: intelligence -- specifically, threat intelligence, which seems to be part of every security product these days.

What is threat intelligence? First of all, a threat is something that or someone who could exploit your vulnerabilities. It is not the vulnerability itself. A threat could be a person launching an attack, a backhoe near your network cables, a squirrel that likes to chew on insulation, or even a hurricane. It could be the malware that infects your system, the developer who thought it was a good idea to send one email alert for each log event through your Exchange server, or the auditor who may tarnish your good name with a material finding.

Intelligence, on the other hand, varies widely. I have seen the term used to describe the correlated logs in a SIEM (as if simply knowing what was going on in your network was intelligent enough). It is sometimes used to refer to the collection of event data from more than one enterprise; many vendors do this when they receive this data from their products installed at customer sites. Taking this a step further, many security companies have researchers on staff who try to find out what the newest attacks are, which systems they're targeting, and what vectors they're using. All of these types are "intelligence" based on knowing what's happening out there, beyond your own perimeter.

Besides the "what," "where," and "when," there's the "how." Threat intelligence can include the techniques and technology being used in attacks, the critical factors that mean success or failure, or the timing, location, and sources. This is more than just describing what happened; it's information on how to identify it and how to respond to it.

The "who" and the "why" are in the last tier of threat intelligence, and finding out motivation is often easier than attribution. Not many companies are willing to connect attacks and specific actors with a lot of confidence (unless, of course, you have a smoking gun in the form of an insider). But motivation and attribution are very important for organizations that need to prioritize their activities to deal with the most likely threats, particularly if they're concerned about targeted attacks; they're also crucial for law enforcement if they're to investigate these crimes.

What really brings this data to the level of intelligence is not just describing what you get out of customer logs, honeypots, sinkholes, and mailing lists. It's putting together the disparate sources of data and adding more valuable information: which families of malware could be stopped most effectively with limited countermeasures; which kinds of targets are favored by different attacker groups; how to tell who really attacked you (not just who claimed the credit); and how reliable the information is that you've received.

This is where the rubber meets the road, and this is what you should be expecting from anyone who is offering "threat intelligence." It's not enough just to tell you in detail what has already happened. If it's not helping you make decisions, or be proactive, then it's not worth paying extra for it.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy. Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
simonmoffatt
50%
50%
simonmoffatt,
User Rank: Apprentice
11/20/2012 | 11:20:35 AM
re: Threat Intelligence Hype
SIEM products and providers have certainly jumped on the intelligence concept, where in reality it's a much broader subject, as you mention, covering different security components - many of which may actually be isolated from the SIEM environment. -áThinking things like HR turnover data, internal business projects, social media output and so on. -áAll can contribute to the infosec 'intel' pre and post incident analysis phase.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio