Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Machine Learning

2/5/2018
08:05 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Can Machine Learning Overcome the Threat Intelligence Gap?

Threat intelligence is a major concern for enterprises. Security firm Recorded Future believes machine learning can help overcome the gap between the haves and the have-nots.

Feeds, risk lists, analyst notes, Dark Web sources, threat research factoids and more. Compiled into a kind of security encyclopedia for reference. But the number of volumes is too big, and the pages regularly go missing or fall out.

No one can really find what they're looking for. This is the threat intelligence (TI) challenge we all face. A fragmented deluge of information with only a few worthy nuggets within. And it's probably going to get worse before it gets better.

"The fundamental problem is scale," Matt Kodama, vice president of product at Recorded Future, a Somerville, Mass., TI firm, told Security Now. "Threat actors, malware tools, web-connected infrastructure and our threat surfaces of exploitable technologies are all growing much faster than security or risk teams, with no end in sight."

Couple this with a shortage of TI talent in the market, which threatens staff turnover and loss of knowledge, and enterprise worries begin to multiply.

Fortunately, the emergence of TI in the last couple of years has begun to assist security teams at an operational level in understanding today's threats by providing a heads-up before a potential attack. But Kodama points to a lack of intelligence about potential threats at the strategic level that is stymieing long-term planning.

"TI should help business leaders to see and take tough strategic decisions that permanently reduce risk. The private sector needs threat teams that can support them at both operational and strategic levels," he said.

Intelligence challenges
The real issue is not that there's a lack of clear information; it's weeding out threats that have proximity to the enterprise, while also getting arms around data from a pool that is more like an ocean. There's a growing acceptance in the industry that machine learning provides support where humans are failing.

"Machine learning is used in collection of documents from web sources, for semantic analysis of text to identify relevant topics, entities, and events, and in predictive risk scoring models," said Kodama.

Currently, effective machine learning is enabled through training data, with security teams effectively baby-sitting until the technology is mature enough to fly the nest.

Not only are enterprises challenged by the scale of threat information, they're also struggling to manage multiple TI providers and platforms. Kodama believes that rationalizing reporting complexity and centralizing information from analyst notes with platform data are the answer.

"Every use case for threat intelligence has unique requirements," he said. "The wrong data integrated in monitoring and alerting solutions can inundate teams with false positives and noise. The ability to tailor the data stream for their specific needs and use cases enables organizations to have the threat intelligence they need where they need it."

Market response
The market for TI solutions includes the "have," and the "have-nots."

For enterprises that have TI, there's a desire for more coverage and less complexity. These firms are going through a workload balancing exercise where freeing up TI teams to do more analysis work is the goal.

"They want faster, tighter collaboration between TI, SOC, IR and VRM without bringing in yet another security data technology to deploy and manage," said Kodama. Those without TI -- the majority of companies -- have a different set of requirements as they search the market.

These companies struggle with alerting on incidents outside their network, such as brand monitoring, exposed credentials, exposed source code or intellectual property. They want better quality indicators of compromise for detection controls. And, no surprise, they need more rapid, more relevant information in order to assess risk and potentially escalate to avoid issues.

Asked if adding an end-to-end solution means a substitution or "rip and replace" scenario where there's overlap, Recorded Future counters that actually, most organizations don't even have a threat intelligence platform yet. For those that have a more mature TI approach or team, the firm will work alongside existing SIEMs, incident response platforms, and security orchestration and automation platforms.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
CVE-2019-20903
PUBLISHED: 2020-10-01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.