Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/2/2017
02:30 PM
Vikram Phatak
Vikram Phatak
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Getting Threat Intelligence Right

Are you thinking of implementing or expanding a threat intelligence program? These guidelines will help you succeed.

The array of startups in the threat intelligence market and the sheer volume of talk on the subject have enterprises racing to implement a solution. Many are placing big bets that subscribing to various threat intelligence offerings will enable them to spot threats faster and thereby minimize the damage and losses associated with security incidents.

This is a tall order, and high expectations have been set by the industry. So it's no surprise that threat intelligence already has a lot of tired and disillusioned followers, as I've discussed at length with CISOs and security practitioners over the past few months. From these conversations, I've concluded that what enterprises need most is a strategic plan to operationalize and automate security based upon actionable intelligence.

Unfortunately, enterprises are often advised that they need to add a lot of new, arbitrary information feeds and sources, regardless of the enterprise's operational maturity and resource constraints. Too often, the result is performance misfires coupled with a damaging loss of confidence in an approach meant to guide continuous improvement.

If you are considering implementing or expanding a threat intelligence program, here are a few principles that can increase the likelihood of success.

Define What You're Trying to Achieve 
What's the goal for your threat intelligence program? The primary purpose for threat intelligence is to accelerate incident response so that individual breaches are dealt with before they become full-blown incidents (which are far more costly). If this is your plan, then you need to know where the blind spots are. Can you gather the information you need from your security products?

For example, if your historical product selection was biased toward prevention rather than detection, you may not have the indicators of compromise (IOCs) or indicators of attacks (IOAs) required. You may be in a closed loop where "you don't know what you don't know," because by definition, if a security product failed to block an attack it's probably because it failed to see the attack. If not having visibility into what you missed is your problem, you may need to start by gaining visibility into your network before layering in third-party intelligence.

It's important to stay focused on the most urgent needs first, and effectively optimize the information being gathered. Once you've crossed that hurdle, you can start adding external threat data for correlation with your internal data sources. Small but concrete gains in collection and use are crucial signs of progress and usually prove whether you're on the right track to achieve your objectives.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Only Ingest What Your Systems Can Digest
It's tempting to grab every new threat intelligence feed and dashboard widget. However, if your team and security operations processes are consumed by taking in large volumes of information instead of acting on what they deliver, you're only magnifying the information-overload problem.

Getting to a better place isn't always about adding more resources. Focus instead on the platforms and other tools you use to share information. What formats do they support? How extensible are they? How can you gain value now and optimize operations with these tools today? Can relevant, contextual information be easily surfaced from the tools? Make sure you don't lose important contextual information in transit. For example, some products export full data directly to a CSV file but only deliver some of the contextual information via their API. Others export into PDFs that you will need to parse in order to use the data in an automated system.

Know Your Intelligence Consumers
You need to cater to your audience. These days, senior executives want security metrics (in return for increased security budgets) almost as often as network defenders want faster analysis of IOAs and IOCs. These are vastly different demands, so as the intelligence decision-maker you need to understand your audience. Who are they and what do they need most?

"Reports or It Didn't Happen"
Know in advance how you will measure success in a threat intelligence program — whether that means a few PowerPoint slides to please top executives or key performance indicators for the team. Otherwise, you risk losing perspective. Milestones that show progress are important ways to measure progress toward your objective.

Start with metrics that show how you're improving visibility into your environment, for example, or decreasing lag time in incident-response workflows. Those numbers are arguably the most important, because successful intelligence programs inform, fundamentally, by dispelling assumptions and uncertainty that traditionally plague security decision-making.

Threat intelligence now accounts for significant budget spend in many security operations centers. It holds significant promise, but it isn't a silver bullet. Good luck on your journey!

Related Content:

 

Vikram Phatak is Chief Executive Officer of NSS Labs, Inc. Vik is one of the information security industry's foremost thought leaders on vulnerability management and threat protection. With over 20 years of experience, he brings unique insight to the cybersecurity problems ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.