Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Machine Learning

2/5/2018
08:05 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Can Machine Learning Overcome the Threat Intelligence Gap?

Threat intelligence is a major concern for enterprises. Security firm Recorded Future believes machine learning can help overcome the gap between the haves and the have-nots.

Feeds, risk lists, analyst notes, Dark Web sources, threat research factoids and more. Compiled into a kind of security encyclopedia for reference. But the number of volumes is too big, and the pages regularly go missing or fall out.

No one can really find what they're looking for. This is the threat intelligence (TI) challenge we all face. A fragmented deluge of information with only a few worthy nuggets within. And it's probably going to get worse before it gets better.

"The fundamental problem is scale," Matt Kodama, vice president of product at Recorded Future, a Somerville, Mass., TI firm, told Security Now. "Threat actors, malware tools, web-connected infrastructure and our threat surfaces of exploitable technologies are all growing much faster than security or risk teams, with no end in sight."

Couple this with a shortage of TI talent in the market, which threatens staff turnover and loss of knowledge, and enterprise worries begin to multiply.

Fortunately, the emergence of TI in the last couple of years has begun to assist security teams at an operational level in understanding today's threats by providing a heads-up before a potential attack. But Kodama points to a lack of intelligence about potential threats at the strategic level that is stymieing long-term planning.

"TI should help business leaders to see and take tough strategic decisions that permanently reduce risk. The private sector needs threat teams that can support them at both operational and strategic levels," he said.

Intelligence challenges
The real issue is not that there's a lack of clear information; it's weeding out threats that have proximity to the enterprise, while also getting arms around data from a pool that is more like an ocean. There's a growing acceptance in the industry that machine learning provides support where humans are failing.

"Machine learning is used in collection of documents from web sources, for semantic analysis of text to identify relevant topics, entities, and events, and in predictive risk scoring models," said Kodama.

Currently, effective machine learning is enabled through training data, with security teams effectively baby-sitting until the technology is mature enough to fly the nest.

Not only are enterprises challenged by the scale of threat information, they're also struggling to manage multiple TI providers and platforms. Kodama believes that rationalizing reporting complexity and centralizing information from analyst notes with platform data are the answer.

"Every use case for threat intelligence has unique requirements," he said. "The wrong data integrated in monitoring and alerting solutions can inundate teams with false positives and noise. The ability to tailor the data stream for their specific needs and use cases enables organizations to have the threat intelligence they need where they need it."

Market response
The market for TI solutions includes the "have," and the "have-nots."

For enterprises that have TI, there's a desire for more coverage and less complexity. These firms are going through a workload balancing exercise where freeing up TI teams to do more analysis work is the goal.

"They want faster, tighter collaboration between TI, SOC, IR and VRM without bringing in yet another security data technology to deploy and manage," said Kodama. Those without TI -- the majority of companies -- have a different set of requirements as they search the market.

These companies struggle with alerting on incidents outside their network, such as brand monitoring, exposed credentials, exposed source code or intellectual property. They want better quality indicators of compromise for detection controls. And, no surprise, they need more rapid, more relevant information in order to assess risk and potentially escalate to avoid issues.

Asked if adding an end-to-end solution means a substitution or "rip and replace" scenario where there's overlap, Recorded Future counters that actually, most organizations don't even have a threat intelligence platform yet. For those that have a more mature TI approach or team, the firm will work alongside existing SIEMs, incident response platforms, and security orchestration and automation platforms.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.