Perimeter
11/16/2012
11:28 AM
Wendy Nather
Wendy Nather
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Threat Intelligence Hype

How to measure the IQ of the data you're being fed

Now that we've talked a bit about analytics, I'd like to take on the other thriving buzzword: intelligence -- specifically, threat intelligence, which seems to be part of every security product these days.

What is threat intelligence? First of all, a threat is something that or someone who could exploit your vulnerabilities. It is not the vulnerability itself. A threat could be a person launching an attack, a backhoe near your network cables, a squirrel that likes to chew on insulation, or even a hurricane. It could be the malware that infects your system, the developer who thought it was a good idea to send one email alert for each log event through your Exchange server, or the auditor who may tarnish your good name with a material finding.

Intelligence, on the other hand, varies widely. I have seen the term used to describe the correlated logs in a SIEM (as if simply knowing what was going on in your network was intelligent enough). It is sometimes used to refer to the collection of event data from more than one enterprise; many vendors do this when they receive this data from their products installed at customer sites. Taking this a step further, many security companies have researchers on staff who try to find out what the newest attacks are, which systems they're targeting, and what vectors they're using. All of these types are "intelligence" based on knowing what's happening out there, beyond your own perimeter.

Besides the "what," "where," and "when," there's the "how." Threat intelligence can include the techniques and technology being used in attacks, the critical factors that mean success or failure, or the timing, location, and sources. This is more than just describing what happened; it's information on how to identify it and how to respond to it.

The "who" and the "why" are in the last tier of threat intelligence, and finding out motivation is often easier than attribution. Not many companies are willing to connect attacks and specific actors with a lot of confidence (unless, of course, you have a smoking gun in the form of an insider). But motivation and attribution are very important for organizations that need to prioritize their activities to deal with the most likely threats, particularly if they're concerned about targeted attacks; they're also crucial for law enforcement if they're to investigate these crimes.

What really brings this data to the level of intelligence is not just describing what you get out of customer logs, honeypots, sinkholes, and mailing lists. It's putting together the disparate sources of data and adding more valuable information: which families of malware could be stopped most effectively with limited countermeasures; which kinds of targets are favored by different attacker groups; how to tell who really attacked you (not just who claimed the credit); and how reliable the information is that you've received.

This is where the rubber meets the road, and this is what you should be expecting from anyone who is offering "threat intelligence." It's not enough just to tell you in detail what has already happened. If it's not helping you make decisions, or be proactive, then it's not worth paying extra for it.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy. Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
simonmoffatt
50%
50%
simonmoffatt,
User Rank: Apprentice
11/20/2012 | 11:20:35 AM
re: Threat Intelligence Hype
SIEM products and providers have certainly jumped on the intelligence concept, where in reality it's a much broader subject, as you mention, covering different security components - many of which may actually be isolated from the SIEM environment. -ŠThinking things like HR turnover data, internal business projects, social media output and so on. -ŠAll can contribute to the infosec 'intel' pre and post incident analysis phase.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2012-0871
Published: 2014-04-18
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

CVE-2012-6646
Published: 2014-04-18
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

CVE-2013-4279
Published: 2014-04-18
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

Best of the Web