7 Ways To Fine-Tune Your Threat Intelligence Model
The nature of security threats is too dynamic for set-and-forget. Here are some ways to shake off that complacency.
January 5, 2017
We look at threat intelligence as the active, selective gathering of multiple threads: The latest malware variants, a new twist on ransomware, some nefarious innovation on social engineering, DDoS stratagems, to name a few. These services are as different from old-school security feeds as sprinkler systems are from fire hydrants. Security feeds vacuum up (and disperse) everything in their wake; threat intel is, well, more intelligent, not to mention curated and customizable.
One of Dark Reading's columnists summed up the difference more succinctly: There's data, and then there's information – in the case of threat intel, it's specific data that allows users to gauge exposure and risk, then act accordingly. Business, government and non-profits see the value of threat intel; global service revenue is forecast to top $5.8 billion by 2020, according to Markets and Markets.
But the set-and-forget mentality is an occupational hazard in all of IT; seasoned infosec professionals understand the security landscape changes too quickly to relax for very long. So here are some flash points to help guard against complacency with threat intel, and maybe even raise your organization's security IQ.
What's worked for you and your organization? What's overblown marketing hype? We know you won't be shy about letting us know in the comments section… let us hear from you.
Organizations and infosec staff may be surprised to find they're already sitting on top of some sort of threat intel feed or service that hasn't been activated. So instead of putting money into a new solution, it may be more economical to buy a license for something that's already there and turning it on, Webroot's Dufour advises.
"It takes some work to set up, but many times organizations already have the visibility they need," he added. Users may not have the threat data feed set to run against other security information, and may only be able to see what's being blocked or attacked. The CISO doesn't always know every permutation, but an infosec pro knows what's happening in her appliance.
It's incumbent on customers to educate themselves and be smart about their acquisition and use of all security products, not just threat intel data. But Chris Coryea, a manager for security vendor Leidos, notes the disconnects that occur all too frequently.
"According to one IDC report, 77% of companies survey equated SIEM to threat intelligence and another 35% associated threat intelligence with shared information provided within the security community," Coryea writes on the company blog. "These two points demonstrate the shallow level of cybersecurity maturity of many organizations."
Vendors can help cultivate more sophistication about threats by providing relevancy, context and situational awareness about the content of threat intel. Infosec professionals need to then assess the intel's relevancy to their organizations and challenge the value of threat feeds as necessary.
It's a give-and-take process that may be uncomfortable at first for infosec professionals. But done properly and consistently, organizations can protect themselves better and raise the defense bar for information security more broadly.
It's incumbent on customers to educate themselves and be smart about their acquisition and use of all security products, not just threat intel data. But Chris Coryea, a manager for security vendor Leidos, notes the disconnects that occur all too frequently.
"According to one IDC report, 77% of companies survey equated SIEM to threat intelligence and another 35% associated threat intelligence with shared information provided within the security community," Coryea writes on the company blog. "These two points demonstrate the shallow level of cybersecurity maturity of many organizations."
Vendors can help cultivate more sophistication about threats by providing relevancy, context and situational awareness about the content of threat intel. Infosec professionals need to then assess the intel's relevancy to their organizations and challenge the value of threat feeds as necessary.
It's a give-and-take process that may be uncomfortable at first for infosec professionals. But done properly and consistently, organizations can protect themselves better and raise the defense bar for information security more broadly.
We look at threat intelligence as the active, selective gathering of multiple threads: The latest malware variants, a new twist on ransomware, some nefarious innovation on social engineering, DDoS stratagems, to name a few. These services are as different from old-school security feeds as sprinkler systems are from fire hydrants. Security feeds vacuum up (and disperse) everything in their wake; threat intel is, well, more intelligent, not to mention curated and customizable.
One of Dark Reading's columnists summed up the difference more succinctly: There's data, and then there's information – in the case of threat intel, it's specific data that allows users to gauge exposure and risk, then act accordingly. Business, government and non-profits see the value of threat intel; global service revenue is forecast to top $5.8 billion by 2020, according to Markets and Markets.
But the set-and-forget mentality is an occupational hazard in all of IT; seasoned infosec professionals understand the security landscape changes too quickly to relax for very long. So here are some flash points to help guard against complacency with threat intel, and maybe even raise your organization's security IQ.
What's worked for you and your organization? What's overblown marketing hype? We know you won't be shy about letting us know in the comments section… let us hear from you.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024