Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Threat Intelligence Platforms: The Next 'Must-Have' For Harried Security Operations Teams

New category of technology promises to aggregate all threat intelligence feeds and help security teams find the attacks that could cause the most damage

At the headquarters of a major bank in New York, a team of IT security specialists is poring over reams of data. They’ve just received word that there’s a new online banking exploit in the wild, and they’re working against the clock to figure out what the attack looks like – and whether it has breached their defenses. At this moment, though, their enemy isn’t a hacker. It’s the dozens of disparate, uncoordinated data feeds that might contain information about the new threat – but can only be scanned manually.

Every day, security operations center (SOC) staffs in all types of industries and geographies are faced with scenarios similar to this one. They’ve subscribed to many different threat intelligence feeds that promise insight on the latest attacks -- but now they’ve got so much data that identifying and correlating information about a single attack is like finding a needle in a haystack. And if they don’t find the key threat data they need, they could leave their organizations open to a damaging attack.

Several startup technology vendors – including one, ThreatQuotient, just emerging from stealth today – have launched recently to help enterprises aggregate and correlate incoming threat data from many different sources and speed the process of digging out the relevant indicators of compromise. These "threat intelligence platforms" promise to provide a single funnel for channeling and analyzing the growing firehose of threat data emanating from dozens of disparate threat intelligence services and open-source organizations that provide notifications of newly-emerging exploits and vulnerabilities.

Another startup, TruStar, promises to advance the security information sharing process by providing the means to anonymously report and share threat and breach data across enterprises -- and eventually, entire industries

"Security analysts are being inundated with threat information," notes Wayne Chiang, CEO and co-founder of ThreatQuotient, which announced its official launch June 2. "It’s reached the point where that glut of data is preventing them from doing the one thing that all of these feeds were supposed to do in the first place, which is to identify the threats that are relevant to their organizations and respond."

Threat intelligence platforms -- a new category of software and services coming from emerging players such as ThreatConnect, ThreatQuotient, and ThreatStream – promise to aggregate and help correlate threat data emanating from the growing base of threat intelligence service providers, such as CrowdStrike and iSight Partners. The platform vendors, all less than three years old, offer a single portal for analyzing data not only from commercial providers, but from open-source threat data providers such as US-CERT.

"Threat intelligence is one of the fastest ways of getting real information about new attacks and detecting the indicators of advanced, sophisticated attacks," says Wade Baker, vice president of strategy and risk analytics at ThreatConnect. Baker formerly was a founding author of Verizon Business’ Data Breach Investigations Report (DBIR), one of the industry’s best-known sources of information about IT security compromises. "Threat intelligence works – the problem is just that there’s so much information that it’s difficult to organize and confusing to the people who have to develop a response."

The problem, experts say, is that there are so many sources of threat information – and threat data is not filed in a common format. Mitre Corp. has helped the situation by developing the specifications known as Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII), but threat reports can still be found in many different formats, ranging from simple text to PDF documents and Excel spreadsheets.

"STIX and TAXII help, but we still find a lot of threat data that is in lots of different formats, and a lot of it contains information that shouldn’t be in the stream," says Colby DeRodeff, chief strategy officer at ThreatStream.

Most large enterprises use security information and event management (SIEM) systems to aggregate and analyze their internal security log and event data. But SIEM data requires a good deal of filtering, DeRodeff notes, and simply pouring threat data into a SIEM system can create an overabundance of false positives that cause alarm bells to ring unnecessarily -- and may cause security operations teams to expend time unproductively.

SIEM systems may also not support the various tools that security data analysts use to evaluate threat data, Baker says. "SIEM works well for collecting event data, but it’s not a great toolbench for data analysts," he states.

Threat intelligence platforms provide a lighter, more versatile system for importing threat data from many different sources, correlating that data, and then exporting it to systems such as SIEM or trouble ticketing systems that can trigger the IT staff to take steps toward remediation. A threat intelligence platform significantly reduces the time spent by data analysts to aggregate and rationalize the threat data they receive, the technology vendors say. And it may also help enterprises to identify the threat sources and data that are the most useful and accurate for their own environment, potentially reducing the costs associated with unnecessary commercial threat feeds.

"Ultimately, we can give you a sense for how much value there is in a feed," says Chiang. "But for the near term, the biggest benefit is the time it saves the people who do the analysis. We’re giving them a way to operationalize all of the data they are getting, putting them in a better position to act on it."

Over the longer term, threat intelligence platforms have the potential to become more strategic in scope, some technology vendors say. For example, several of the early platforms have the ability to rank threats according to their severity, the reputation of the data source, and/or the relevance of the threat to a specific organization. By collecting such data, the threat intelligence platform could eventually become a good tool for benchmarking enterprise cyber risk – a metric that is essential to the business but elusive in its measurement.

"You could see it following a path similar to GRC [governance, risk, and compliance], only for threats," Baker says. "You’re using the platform to determine which threats are most important to your organization, who’s targeting you, where the risk is coming from. This is something that a lot of security people – and a lot of top executives – have been asking for."

And once the enterprise team can quickly identify its own compromises, threats, and risks, there is greater opportunity for information sharing among private enterprises and across entire industries, notes Paul Kurtz, co-founder and CEO of TruSTAR, a startup company that has developed a patented technology for the anonymous sharing of security compromise and threat data. TruSTAR’s goal is to build a community of members that quickly report new attacks and threats, sharing them with other organizations in a safe environment.

"The government-oriented initiatives for information sharing have frustrated a lot of private companies, because the information is not always shared quickly and government agencies own the keys and can identify the companies that are reporting," Kurtz observes. "What we wanted to do is create a place where you can anonymously report a problem or threat and be rewarded immediately by getting feedback on whether that threat has been seen in other places, and with what impact."

While threat intelligence platforms could help companies make sense of threat data at the enterprise level, TruStar will harvest data from many enterprises and data sources and make all of that data available to the member, Kurtz says. And it can be used today, without waiting for legislation or the slow movement of government-sponsored information sharing initiatives.

"If companies are exchanging data, they are finding out about new threats faster and taking action more quickly. That way, everybody’s job gets easier," Kurtz says. "It’s a classic case of a rising tide raising all boats."

One of the challenges that enterprises face as they look at new technology for aggregating and analyzing threat data is figuring out which tools to use. ThreatQuotient, which was founded by experienced security operations professionals, focuses heavily on operationalizing threat information. ThreatConnect, which was founded by former intelligence analysts, focuses on providing the best tools and capabilities for data analysis in the near term – and risk analysis in the longer term. ThreatStream, which was founded by former executives at SIEM vendors, provides strong integration between external threat intelligence feeds and internal SIEM systems; the company already has developed 12 different interconnects with systems that the enterprise may already have onsite.

"We’re all coming at it from different angles, but the fact that you see several vendors attacking the same problem helps to demonstrate the need and validate this whole category of products, Baker says. "I think you’ll see a lot more happening in this space."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RedTigerLabs
50%
50%
RedTigerLabs,
User Rank: Apprentice
6/6/2015 | 9:25:49 AM
Threat Modeling without Compliance goals or Remediation is only "Art"
Visualization of threat information is a great first step. Toolsets need to build this information into resilience objectives that align with standards and policy objectives. This toolset, built into redtigerlabs dot com, was designed specifically for SCADA and Crtitical Infrastructure, where this information is needed most. 
Cory-C
50%
50%
Cory-C,
User Rank: Apprentice
6/4/2015 | 11:22:02 AM
Standards for federating threat intelligence information

As suggested in this article, federation across the many sources, platforms and tools for threat information is essential to understand and respond to the sophisticated threats we face today. We need to understand all threats and all hazards across all sources, particularly where cyber and physical come together. While startups can help, emerging standards are the key. There is an ongoing standards effort in the Object Management Group (OMG) to define a federating model such that tools that implement this standard will be able to federate, analize and exchange information in a variety of formats and technologies. CSOs and threat intelligence vendors may want to engage in this standard top make sure it meets the needs of the community. More information can be found on threatrisk dot org.

7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...