Perimeter
11/16/2012
11:28 AM
Wendy Nather
Wendy Nather
Commentary
50%
50%

Threat Intelligence Hype

How to measure the IQ of the data you're being fed

Now that we've talked a bit about analytics, I'd like to take on the other thriving buzzword: intelligence -- specifically, threat intelligence, which seems to be part of every security product these days.

What is threat intelligence? First of all, a threat is something that or someone who could exploit your vulnerabilities. It is not the vulnerability itself. A threat could be a person launching an attack, a backhoe near your network cables, a squirrel that likes to chew on insulation, or even a hurricane. It could be the malware that infects your system, the developer who thought it was a good idea to send one email alert for each log event through your Exchange server, or the auditor who may tarnish your good name with a material finding.

Intelligence, on the other hand, varies widely. I have seen the term used to describe the correlated logs in a SIEM (as if simply knowing what was going on in your network was intelligent enough). It is sometimes used to refer to the collection of event data from more than one enterprise; many vendors do this when they receive this data from their products installed at customer sites. Taking this a step further, many security companies have researchers on staff who try to find out what the newest attacks are, which systems they're targeting, and what vectors they're using. All of these types are "intelligence" based on knowing what's happening out there, beyond your own perimeter.

Besides the "what," "where," and "when," there's the "how." Threat intelligence can include the techniques and technology being used in attacks, the critical factors that mean success or failure, or the timing, location, and sources. This is more than just describing what happened; it's information on how to identify it and how to respond to it.

The "who" and the "why" are in the last tier of threat intelligence, and finding out motivation is often easier than attribution. Not many companies are willing to connect attacks and specific actors with a lot of confidence (unless, of course, you have a smoking gun in the form of an insider). But motivation and attribution are very important for organizations that need to prioritize their activities to deal with the most likely threats, particularly if they're concerned about targeted attacks; they're also crucial for law enforcement if they're to investigate these crimes.

What really brings this data to the level of intelligence is not just describing what you get out of customer logs, honeypots, sinkholes, and mailing lists. It's putting together the disparate sources of data and adding more valuable information: which families of malware could be stopped most effectively with limited countermeasures; which kinds of targets are favored by different attacker groups; how to tell who really attacked you (not just who claimed the credit); and how reliable the information is that you've received.

This is where the rubber meets the road, and this is what you should be expecting from anyone who is offering "threat intelligence." It's not enough just to tell you in detail what has already happened. If it's not helping you make decisions, or be proactive, then it's not worth paying extra for it.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy. Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
simonmoffatt
50%
50%
simonmoffatt,
User Rank: Apprentice
11/20/2012 | 11:20:35 AM
re: Threat Intelligence Hype
SIEM products and providers have certainly jumped on the intelligence concept, where in reality it's a much broader subject, as you mention, covering different security components - many of which may actually be isolated from the SIEM environment. -áThinking things like HR turnover data, internal business projects, social media output and so on. -áAll can contribute to the infosec 'intel' pre and post incident analysis phase.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.