Threat Intelligence Within a Layered Defense

The layered defense approach
As mentioned in a previous article, a standard practice recommended by the security industry is to layer protection systems at multiple control points throughout a network. The goal is to facilitate threat detection and detailed information gathering to identify and alert on threats or abnormal patterns of user, application or network activity. Security systems are deployed so they can actively monitor every control point and provide practitioners with the data for conducting ongoing threat investigation, analysis and threat response. Ideally, a layered methodology will provide the information practitioners need for a proactive threat protection posture.

A large number of deployed monitoring systems will result in the generation of copious amounts of detailed information. These systems are supposed to give analysts visibility into all activity and allow them to eliminate extraneous activity and focus on potential threats and abnormal behavior. With detailed visibility analysts can proactively scrutinize and conduct real-time analysis of network, device, user and application activity. Visibility helps them to identify a threat source or entry point, routes and other details as well as information about threat actor techniques, tactics and procedures, (TTP) targets and attack objectives.

Layered defenses require multiple security resources deployed to maximize coverage of network, devices, users and traffic. This works until the number of systems and traffic volume can introduce conflicting and confusing data that can complicate assessment and create gaps in security coverage and adversely impact network scalability. A large number of security systems can generate overwhelming traffic, logs, alerts and incident activity that complicate analysis. High traffic volume can also skew network visibility, creating distractions that impact security staff's ability to guard computing resources and users against threats.

Network growth can force the continuous addition of layered security devices and applications. Each type of security system is designed to detect, monitor or prevent specific types of threats or activity. Consequently, layered security can introduce significant coverage overlap between systems, producing duplicate and often conflicting security alerts, incidents and inferences about risk or threats. Additionally, overlapped coverage can introduce and obscure gaps in security, with duplicate information clouding analytical activities, potentially masking security effectiveness. And, in most scenarios, when a gap is found, a usual response is to close it with another system, further swelling traffic volume, devices and management overhead.

The technology bandwagon

Security companies continually react to new types of threats by introducing new products, adding features or rebranding existing product by describing it using the latest current terminology. Product portfolios go through constant release and growth cycles to address market demand, irrespective of similar products already available from competitors. Every company continually introduces changed or new product to respond to shifting market requirements and threat activity. This product churn creates a mish-mash of offerings from with many overlapping capabilities that confound organization product choice, implementation strategy and deployment methods. Organizations are under severe duress trying to understand thousands of products and their capabilities, weaknesses and how to integrate them with existing systems while actively protecting their environment. This is akin to putting wings on an aircraft while in flight. And in the end, the vast selection of products along with a continuously changing network and threat environment make it almost impossible for an organization to determine how well, or badly, they're doing.

So, with all of the conflicting elements in security, how can organizations get better control and access to all the crucial information in their network? A hot topic for the last few years is threat intelligence. As often as this term is touted in marketing materials and various conferences and online discussions, it's not clearly described. Simple questions such as what is it, and how does an organization know what makes up threat intelligence? How do they define threat intelligence metrics, and what systems does one deploy and integrate to create an environment for gathering and analyzing it? Unfortunately, these and many other questions continue to be left unanswered.

The concept of threat intelligence

Even with all the activity around threat intelligence, there is still no clear definition. This lack is driven home by Wikipedia, as it states: "cyber threat intelligence is an elusive concept." To remove potential confusion, let's start with the fact that fundamentally, threat intelligence isn't a single thing or product. It's a set of systematic processes using software, machines and human participants to gather information in order to evaluate user, application, traffic and a network's current risk state and protection effectiveness. It's a combination of procedures to gather and correlate details of network, application and user activity to give security staff intimate knowledge about network traffic and patterns, devices, user actions and behavior so they can advance responses to undesirable activity. Threat intelligence is a component of IT management and feeds into security intelligence with information that can be used to protect an organization from external and internal threats. It comprises a set of defined processes, policies and rules utilizing tools to gather, analyze, compare and classify normal and abnormal traffic, ascertain risk factors and maintain a secure environment.

Without a clear set of standardized activities that define threat intelligence, how can an organization know what products or services help them establish and manage threat intelligence activity. There are many security companies that offer “threat intelligence” capabilities, products and services. Unfortunately, the litany of items and capabilities offered leave more customers confused as to what value they will actually get. Luckily, there are many products that can assist organizations' implementation of a threat intelligence ecosystem, though there is no single product or service that can do that on its own. Contrary to marketing hype, threat intelligence is not a new endeavor, as most companies have been conducting some level of it for decades by gathering and analyzing application, user and network log activity for review and response. This continuous evaluation and analysis of normal or unusual activity has guided the finding, response and elimination of threats. Organizations have been steadfast in their efforts to build threat knowledge, identify and classify normal and abnormal user behavior along with application or network activity by gathering and analyzing reams of data for years to maintain their security efficacy. This is, in essence, a set of processes that is threat intelligence.

A modern threat intelligence environment needs to combine existing and new tools. Modernization must include various types of automation, such as being able to filter low risk traffic to reduce the amount of data needing rigorous analysis. This can be done using machine learning and AI programming that can also help eliminate conflicting and duplicate information. Their output should present high-value data to practitioners for review or submission to other threat analysis tools for further assessment and isolation of a potential threat. Another step can be to execute a possible threat in a protected sandbox to confirm its identify and state of activity in order to develop an appropriate response. Clearly, these examples comprise multiple discrete and closely related processes to gather threat intelligence.

A process called threat intelligence

Any security practitioner requires relevant critical data to conduct detailed real-time threat analysis for response development. It's helpful, but not critical for prevention to know every detail about a threat actor's tactics, techniques and procedures (TTP). Gathering that knowledge, and comparing it against current or past threat activity, or against a publicly available database of known actors' TTP, is a nice-to-have but not a necessity to maintain a secure network environment. The effort and cost involved to gather that information is often well beyond what most organizations have either in time or resources to conduct. Being able to better utilize data gathered every day more effectively is a critical first and consequential step in an effective threat intelligence process. Systematic and robust processes can provide significant benefit to practitioners and their organization, without having to add yet another security layer by adding a newly renamed threat intelligence product.

Many organizations have been gathering threat intelligence information on network traffic, user and application activity for decades. Tremendous amounts of valuable information are already tracked by traditional application and system logs, endpoint, user threat and network intrusion detection/prevention systems (IDS/IPS), firewall, SIEM and other technologies. New technologies introduce real-time monitoring and visibility into critical applications, and can automate data capture and filter extraneous data that free staff time to analyze and respond to higher risk activity. Multiple API connected systems can aggregate input into a single analysis system and apply common policies and rules to better identify and isolate risk activity. By tying together traditional and new resources such as automation, deeper monitoring, data aggregation, visibility for detailed analysis and response means organizations can extend their existing capabilities and create a more capable systematic threat intelligence ecosystem.

— Dan Reis, SecurityNow Expert