Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10/2/2019
12:00 PM
Dan Reis
Dan Reis
Dan Reis
50%
50%

Threat Intelligence Within a Layered Defense

A layered approach to security will provide the information practitioners need for a proactive threat protection posture.

The layered defense approach
As mentioned in a previous article, a standard practice recommended by the security industry is to layer protection systems at multiple control points throughout a network. The goal is to facilitate threat detection and detailed information gathering to identify and alert on threats or abnormal patterns of user, application or network activity. Security systems are deployed so they can actively monitor every control point and provide practitioners with the data for conducting ongoing threat investigation, analysis and threat response. Ideally, a layered methodology will provide the information practitioners need for a proactive threat protection posture.

A large number of deployed monitoring systems will result in the generation of copious amounts of detailed information. These systems are supposed to give analysts visibility into all activity and allow them to eliminate extraneous activity and focus on potential threats and abnormal behavior. With detailed visibility analysts can proactively scrutinize and conduct real-time analysis of network, device, user and application activity. Visibility helps them to identify a threat source or entry point, routes and other details as well as information about threat actor techniques, tactics and procedures, (TTP) targets and attack objectives.

Layered defenses require multiple security resources deployed to maximize coverage of network, devices, users and traffic. This works until the number of systems and traffic volume can introduce conflicting and confusing data that can complicate assessment and create gaps in security coverage and adversely impact network scalability. A large number of security systems can generate overwhelming traffic, logs, alerts and incident activity that complicate analysis. High traffic volume can also skew network visibility, creating distractions that impact security staff's ability to guard computing resources and users against threats.

Network growth can force the continuous addition of layered security devices and applications. Each type of security system is designed to detect, monitor or prevent specific types of threats or activity. Consequently, layered security can introduce significant coverage overlap between systems, producing duplicate and often conflicting security alerts, incidents and inferences about risk or threats. Additionally, overlapped coverage can introduce and obscure gaps in security, with duplicate information clouding analytical activities, potentially masking security effectiveness. And, in most scenarios, when a gap is found, a usual response is to close it with another system, further swelling traffic volume, devices and management overhead.

The technology bandwagon

Security companies continually react to new types of threats by introducing new products, adding features or rebranding existing product by describing it using the latest current terminology. Product portfolios go through constant release and growth cycles to address market demand, irrespective of similar products already available from competitors. Every company continually introduces changed or new product to respond to shifting market requirements and threat activity. This product churn creates a mish-mash of offerings from with many overlapping capabilities that confound organization product choice, implementation strategy and deployment methods. Organizations are under severe duress trying to understand thousands of products and their capabilities, weaknesses and how to integrate them with existing systems while actively protecting their environment. This is akin to putting wings on an aircraft while in flight. And in the end, the vast selection of products along with a continuously changing network and threat environment make it almost impossible for an organization to determine how well, or badly, they're doing.

So, with all of the conflicting elements in security, how can organizations get better control and access to all the crucial information in their network? A hot topic for the last few years is threat intelligence. As often as this term is touted in marketing materials and various conferences and online discussions, it's not clearly described. Simple questions such as what is it, and how does an organization know what makes up threat intelligence? How do they define threat intelligence metrics, and what systems does one deploy and integrate to create an environment for gathering and analyzing it? Unfortunately, these and many other questions continue to be left unanswered.

The concept of threat intelligence

Even with all the activity around threat intelligence, there is still no clear definition. This lack is driven home by Wikipedia, as it states: "cyber threat intelligence is an elusive concept." To remove potential confusion, let's start with the fact that fundamentally, threat intelligence isn't a single thing or product. It's a set of systematic processes using software, machines and human participants to gather information in order to evaluate user, application, traffic and a network's current risk state and protection effectiveness. It's a combination of procedures to gather and correlate details of network, application and user activity to give security staff intimate knowledge about network traffic and patterns, devices, user actions and behavior so they can advance responses to undesirable activity. Threat intelligence is a component of IT management and feeds into security intelligence with information that can be used to protect an organization from external and internal threats. It comprises a set of defined processes, policies and rules utilizing tools to gather, analyze, compare and classify normal and abnormal traffic, ascertain risk factors and maintain a secure environment.

Without a clear set of standardized activities that define threat intelligence, how can an organization know what products or services help them establish and manage threat intelligence activity. There are many security companies that offer “threat intelligence” capabilities, products and services. Unfortunately, the litany of items and capabilities offered leave more customers confused as to what value they will actually get. Luckily, there are many products that can assist organizations' implementation of a threat intelligence ecosystem, though there is no single product or service that can do that on its own. Contrary to marketing hype, threat intelligence is not a new endeavor, as most companies have been conducting some level of it for decades by gathering and analyzing application, user and network log activity for review and response. This continuous evaluation and analysis of normal or unusual activity has guided the finding, response and elimination of threats. Organizations have been steadfast in their efforts to build threat knowledge, identify and classify normal and abnormal user behavior along with application or network activity by gathering and analyzing reams of data for years to maintain their security efficacy. This is, in essence, a set of processes that is threat intelligence.

A modern threat intelligence environment needs to combine existing and new tools. Modernization must include various types of automation, such as being able to filter low risk traffic to reduce the amount of data needing rigorous analysis. This can be done using machine learning and AI programming that can also help eliminate conflicting and duplicate information. Their output should present high-value data to practitioners for review or submission to other threat analysis tools for further assessment and isolation of a potential threat. Another step can be to execute a possible threat in a protected sandbox to confirm its identify and state of activity in order to develop an appropriate response. Clearly, these examples comprise multiple discrete and closely related processes to gather threat intelligence.

A process called threat intelligence

Any security practitioner requires relevant critical data to conduct detailed real-time threat analysis for response development. It's helpful, but not critical for prevention to know every detail about a threat actor's tactics, techniques and procedures (TTP). Gathering that knowledge, and comparing it against current or past threat activity, or against a publicly available database of known actors' TTP, is a nice-to-have but not a necessity to maintain a secure network environment. The effort and cost involved to gather that information is often well beyond what most organizations have either in time or resources to conduct. Being able to better utilize data gathered every day more effectively is a critical first and consequential step in an effective threat intelligence process. Systematic and robust processes can provide significant benefit to practitioners and their organization, without having to add yet another security layer by adding a newly renamed threat intelligence product.

Many organizations have been gathering threat intelligence information on network traffic, user and application activity for decades. Tremendous amounts of valuable information are already tracked by traditional application and system logs, endpoint, user threat and network intrusion detection/prevention systems (IDS/IPS), firewall, SIEM and other technologies. New technologies introduce real-time monitoring and visibility into critical applications, and can automate data capture and filter extraneous data that free staff time to analyze and respond to higher risk activity. Multiple API connected systems can aggregate input into a single analysis system and apply common policies and rules to better identify and isolate risk activity. By tying together traditional and new resources such as automation, deeper monitoring, data aggregation, visibility for detailed analysis and response means organizations can extend their existing capabilities and create a more capable systematic threat intelligence ecosystem.

— Dan Reis, SecurityNow Expert

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
CVE-2020-15008
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...