Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

12:00 PM
Dan Reis
Dan Reis
Dan Reis

Threat Intelligence Within a Layered Defense

A layered approach to security will provide the information practitioners need for a proactive threat protection posture.

The layered defense approach
As mentioned in a previous article, a standard practice recommended by the security industry is to layer protection systems at multiple control points throughout a network. The goal is to facilitate threat detection and detailed information gathering to identify and alert on threats or abnormal patterns of user, application or network activity. Security systems are deployed so they can actively monitor every control point and provide practitioners with the data for conducting ongoing threat investigation, analysis and threat response. Ideally, a layered methodology will provide the information practitioners need for a proactive threat protection posture.

A large number of deployed monitoring systems will result in the generation of copious amounts of detailed information. These systems are supposed to give analysts visibility into all activity and allow them to eliminate extraneous activity and focus on potential threats and abnormal behavior. With detailed visibility analysts can proactively scrutinize and conduct real-time analysis of network, device, user and application activity. Visibility helps them to identify a threat source or entry point, routes and other details as well as information about threat actor techniques, tactics and procedures, (TTP) targets and attack objectives.

Layered defenses require multiple security resources deployed to maximize coverage of network, devices, users and traffic. This works until the number of systems and traffic volume can introduce conflicting and confusing data that can complicate assessment and create gaps in security coverage and adversely impact network scalability. A large number of security systems can generate overwhelming traffic, logs, alerts and incident activity that complicate analysis. High traffic volume can also skew network visibility, creating distractions that impact security staff's ability to guard computing resources and users against threats.

Network growth can force the continuous addition of layered security devices and applications. Each type of security system is designed to detect, monitor or prevent specific types of threats or activity. Consequently, layered security can introduce significant coverage overlap between systems, producing duplicate and often conflicting security alerts, incidents and inferences about risk or threats. Additionally, overlapped coverage can introduce and obscure gaps in security, with duplicate information clouding analytical activities, potentially masking security effectiveness. And, in most scenarios, when a gap is found, a usual response is to close it with another system, further swelling traffic volume, devices and management overhead.

The technology bandwagon

Security companies continually react to new types of threats by introducing new products, adding features or rebranding existing product by describing it using the latest current terminology. Product portfolios go through constant release and growth cycles to address market demand, irrespective of similar products already available from competitors. Every company continually introduces changed or new product to respond to shifting market requirements and threat activity. This product churn creates a mish-mash of offerings from with many overlapping capabilities that confound organization product choice, implementation strategy and deployment methods. Organizations are under severe duress trying to understand thousands of products and their capabilities, weaknesses and how to integrate them with existing systems while actively protecting their environment. This is akin to putting wings on an aircraft while in flight. And in the end, the vast selection of products along with a continuously changing network and threat environment make it almost impossible for an organization to determine how well, or badly, they're doing.

So, with all of the conflicting elements in security, how can organizations get better control and access to all the crucial information in their network? A hot topic for the last few years is threat intelligence. As often as this term is touted in marketing materials and various conferences and online discussions, it's not clearly described. Simple questions such as what is it, and how does an organization know what makes up threat intelligence? How do they define threat intelligence metrics, and what systems does one deploy and integrate to create an environment for gathering and analyzing it? Unfortunately, these and many other questions continue to be left unanswered.

The concept of threat intelligence

Even with all the activity around threat intelligence, there is still no clear definition. This lack is driven home by Wikipedia, as it states: "cyber threat intelligence is an elusive concept." To remove potential confusion, let's start with the fact that fundamentally, threat intelligence isn't a single thing or product. It's a set of systematic processes using software, machines and human participants to gather information in order to evaluate user, application, traffic and a network's current risk state and protection effectiveness. It's a combination of procedures to gather and correlate details of network, application and user activity to give security staff intimate knowledge about network traffic and patterns, devices, user actions and behavior so they can advance responses to undesirable activity. Threat intelligence is a component of IT management and feeds into security intelligence with information that can be used to protect an organization from external and internal threats. It comprises a set of defined processes, policies and rules utilizing tools to gather, analyze, compare and classify normal and abnormal traffic, ascertain risk factors and maintain a secure environment.

Without a clear set of standardized activities that define threat intelligence, how can an organization know what products or services help them establish and manage threat intelligence activity. There are many security companies that offer “threat intelligence” capabilities, products and services. Unfortunately, the litany of items and capabilities offered leave more customers confused as to what value they will actually get. Luckily, there are many products that can assist organizations' implementation of a threat intelligence ecosystem, though there is no single product or service that can do that on its own. Contrary to marketing hype, threat intelligence is not a new endeavor, as most companies have been conducting some level of it for decades by gathering and analyzing application, user and network log activity for review and response. This continuous evaluation and analysis of normal or unusual activity has guided the finding, response and elimination of threats. Organizations have been steadfast in their efforts to build threat knowledge, identify and classify normal and abnormal user behavior along with application or network activity by gathering and analyzing reams of data for years to maintain their security efficacy. This is, in essence, a set of processes that is threat intelligence.

A modern threat intelligence environment needs to combine existing and new tools. Modernization must include various types of automation, such as being able to filter low risk traffic to reduce the amount of data needing rigorous analysis. This can be done using machine learning and AI programming that can also help eliminate conflicting and duplicate information. Their output should present high-value data to practitioners for review or submission to other threat analysis tools for further assessment and isolation of a potential threat. Another step can be to execute a possible threat in a protected sandbox to confirm its identify and state of activity in order to develop an appropriate response. Clearly, these examples comprise multiple discrete and closely related processes to gather threat intelligence.

A process called threat intelligence

Any security practitioner requires relevant critical data to conduct detailed real-time threat analysis for response development. It's helpful, but not critical for prevention to know every detail about a threat actor's tactics, techniques and procedures (TTP). Gathering that knowledge, and comparing it against current or past threat activity, or against a publicly available database of known actors' TTP, is a nice-to-have but not a necessity to maintain a secure network environment. The effort and cost involved to gather that information is often well beyond what most organizations have either in time or resources to conduct. Being able to better utilize data gathered every day more effectively is a critical first and consequential step in an effective threat intelligence process. Systematic and robust processes can provide significant benefit to practitioners and their organization, without having to add yet another security layer by adding a newly renamed threat intelligence product.

Many organizations have been gathering threat intelligence information on network traffic, user and application activity for decades. Tremendous amounts of valuable information are already tracked by traditional application and system logs, endpoint, user threat and network intrusion detection/prevention systems (IDS/IPS), firewall, SIEM and other technologies. New technologies introduce real-time monitoring and visibility into critical applications, and can automate data capture and filter extraneous data that free staff time to analyze and respond to higher risk activity. Multiple API connected systems can aggregate input into a single analysis system and apply common policies and rules to better identify and isolate risk activity. By tying together traditional and new resources such as automation, deeper monitoring, data aggregation, visibility for detailed analysis and response means organizations can extend their existing capabilities and create a more capable systematic threat intelligence ecosystem.

— Dan Reis, SecurityNow Expert

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...