Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/2/2017
02:30 PM
Vikram Phatak
Vikram Phatak
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Getting Threat Intelligence Right

Are you thinking of implementing or expanding a threat intelligence program? These guidelines will help you succeed.

The array of startups in the threat intelligence market and the sheer volume of talk on the subject have enterprises racing to implement a solution. Many are placing big bets that subscribing to various threat intelligence offerings will enable them to spot threats faster and thereby minimize the damage and losses associated with security incidents.

This is a tall order, and high expectations have been set by the industry. So it's no surprise that threat intelligence already has a lot of tired and disillusioned followers, as I've discussed at length with CISOs and security practitioners over the past few months. From these conversations, I've concluded that what enterprises need most is a strategic plan to operationalize and automate security based upon actionable intelligence.

Unfortunately, enterprises are often advised that they need to add a lot of new, arbitrary information feeds and sources, regardless of the enterprise's operational maturity and resource constraints. Too often, the result is performance misfires coupled with a damaging loss of confidence in an approach meant to guide continuous improvement.

If you are considering implementing or expanding a threat intelligence program, here are a few principles that can increase the likelihood of success.

Define What You're Trying to Achieve 
What's the goal for your threat intelligence program? The primary purpose for threat intelligence is to accelerate incident response so that individual breaches are dealt with before they become full-blown incidents (which are far more costly). If this is your plan, then you need to know where the blind spots are. Can you gather the information you need from your security products?

For example, if your historical product selection was biased toward prevention rather than detection, you may not have the indicators of compromise (IOCs) or indicators of attacks (IOAs) required. You may be in a closed loop where "you don't know what you don't know," because by definition, if a security product failed to block an attack it's probably because it failed to see the attack. If not having visibility into what you missed is your problem, you may need to start by gaining visibility into your network before layering in third-party intelligence.

It's important to stay focused on the most urgent needs first, and effectively optimize the information being gathered. Once you've crossed that hurdle, you can start adding external threat data for correlation with your internal data sources. Small but concrete gains in collection and use are crucial signs of progress and usually prove whether you're on the right track to achieve your objectives.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Only Ingest What Your Systems Can Digest
It's tempting to grab every new threat intelligence feed and dashboard widget. However, if your team and security operations processes are consumed by taking in large volumes of information instead of acting on what they deliver, you're only magnifying the information-overload problem.

Getting to a better place isn't always about adding more resources. Focus instead on the platforms and other tools you use to share information. What formats do they support? How extensible are they? How can you gain value now and optimize operations with these tools today? Can relevant, contextual information be easily surfaced from the tools? Make sure you don't lose important contextual information in transit. For example, some products export full data directly to a CSV file but only deliver some of the contextual information via their API. Others export into PDFs that you will need to parse in order to use the data in an automated system.

Know Your Intelligence Consumers
You need to cater to your audience. These days, senior executives want security metrics (in return for increased security budgets) almost as often as network defenders want faster analysis of IOAs and IOCs. These are vastly different demands, so as the intelligence decision-maker you need to understand your audience. Who are they and what do they need most?

"Reports or It Didn't Happen"
Know in advance how you will measure success in a threat intelligence program — whether that means a few PowerPoint slides to please top executives or key performance indicators for the team. Otherwise, you risk losing perspective. Milestones that show progress are important ways to measure progress toward your objective.

Start with metrics that show how you're improving visibility into your environment, for example, or decreasing lag time in incident-response workflows. Those numbers are arguably the most important, because successful intelligence programs inform, fundamentally, by dispelling assumptions and uncertainty that traditionally plague security decision-making.

Threat intelligence now accounts for significant budget spend in many security operations centers. It holds significant promise, but it isn't a silver bullet. Good luck on your journey!

Related Content:

 

Vikram Phatak is Chief Executive Officer of NSS Labs, Inc. Vik is one of the information security industry's foremost thought leaders on vulnerability management and threat protection. With over 20 years of experience, he brings unique insight to the cybersecurity problems ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.
CVE-2019-6824
PUBLISHED: 2019-07-15
A CWE-119: Buffer Errors vulnerability exists in ProClima (all versions prior to version 8.0.0) which allows an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.