Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/4/2017
10:00 AM
Andrew Storms
Andrew Storms
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How to Integrate Threat Intel & DevOps

Automating intelligence can help your organization in myriad ways.

Integrating cyberthreat intelligence (CTI) into a DevOps platform is critical to prevent, detect, respond, and predict cybersecurity threats in a more timely and cost-effective manner. This is true because integration allows automation of everyday tasks such as patch management and vulnerability scanning, allowing employees to turn their attention away from these automated tasks to focus on more complex problems and analyses.

At the same time, in our modern, complicated, fast-paced cyber environment, it's difficult to hunt for and find vulnerabilities. Ideally, you will subscribe to threat feeds that have information specific to your systems, networks, or industry, because a power plant operator will want different kinds of threat information than a bank IT team. If your threat feed is specific to your environment, it could help automate the discovery of vulnerabilities and help you prioritize fixes. If you get a threat alert about a specific application you are running and you have information about how to remediate, it's more likely you can create an automated task to fix the vulnerability.

This automation of threat intelligence creates several benefits for an organization, such as the following:

  • Reducing the mean time to discovery of vulnerabilities and subsequent recovery.
  • More quickly lowering risk in your organization's overall security posture, which allows for quicker response to vulnerabilities or attacks
  • Preventing attackers from repeating attacks

Other areas where automation can provide value beyond vulnerable applications include:

  • Automatically feeding information to dashboards and reports
  • Removing bottlenecks so that your changes process more intelligently and faster
  • Reducing errors in DevOps systems configurations

Are You Properly Integrating CTI?
To determine if your organization is integrating cyberthreat intelligence in a valuable way, consider this checklist:

  • Do you have real-time threat intelligence data feeds? Are you using a threat intelligence platform?
  • Can you glean intelligent courses of action from your intelligence feed?
  • Are you proactively sharing your intelligence with other business units in your organization, at a minimum?
  • Are your analysts more efficient in that they aren't spending hours reading PDFs and emails?
  • Are you able to measure the time to respond and show it's decreasing?
  • Have you prevented the same attacks/malware from being repeated against various parts of your enterprise network?

If the answer to any of these questions is no, your organization is leaving a lot on the table.

How Do You Create Cyberthreat Intelligence Integration?
The benefits are clear, and you've determined that your organization could improve CTI. What's next?

First, the basic requirements. You'll need a decent pipeline to start with by leveraging a continuous integration server (Jenkins is a good example). You'll also need a configuration management server (such as Chef). The requirements list also contains miscellaneous items such as central logging, a central vulnerability scanning system, and firewall management (or the ability to control your infrastructure using something like Terraform). You'll need a minimum of one threat feed — more if you can spare it — coming into your infrastructure in a central place. These basic requirements will all come together to create your threat intelligence platform (TIP).

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Now that the pieces are in place, you'll need to stick it all together with glue. You'll need a way for your TIP to auto-review the threat feeds and trigger off of the ones that matter to your environment. For example, technology on your stack can identify threat campaigns against Amazon Web Services, where your critical operations are running. Then you'll need a way to plug in the recommended action.

If the recommended action is to upgrade a software component, then you can have your TIP tell your configuration management tool to upgrade the NGINX Web server to a version that's not vulnerable. Chef can then deploy and upgrade NGINX on your hosts.

And lastly, you'll want to ensure you've automatically opened a ticket in your issue tracker (such as Jira) to track the work. Include logs of the actions taken in both your issue tracker and to your central logging service.

The benefits of integrated cyberthreat intelligence are clear. Whether you're just getting your DevOps program started or are looking to bring an existing one into the 21st century, it's a critical component of future success. 

 

Related Content:

Andrew Storms serves as the vice president of security services at New Context. He has been leading IT, security and compliance teams for the past two decades at companies like CloudPassage, nCircle and Tripwire. Storms' advocacy on IT security issues has appeared in CNBC, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
joye121
50%
50%
joye121,
User Rank: Apprentice
5/17/2017 | 11:02:39 PM
new york
nice good work
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3311
PUBLISHED: 2019-11-21
Directory traversal vulnerability in the Loftek Nexus 543 IP Camera allows remote attackers to read arbitrary files via a .. (dot dot) in the URL of an HTTP GET request.
CVE-2013-3312
PUBLISHED: 2019-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in the Loftek Nexus 543 IP Camera allow remote attackers to hijack the authentication of unspecified victims for requests that change (1) passwords or (2) firewall configuration, as demonstrated by a request to set_users.cgi.
CVE-2013-3313
PUBLISHED: 2019-11-21
The Loftek Nexus 543 IP Camera stores passwords in cleartext, which allows remote attackers to obtain sensitive information via an HTTP GET request to check_users.cgi. NOTE: cleartext passwords can also be obtained from proc/kcore when leveraging the directory traversal vulnerability in CVE-2013-331...
CVE-2013-3314
PUBLISHED: 2019-11-21
The Loftek Nexus 543 IP Camera allows remote attackers to obtain (1) IP addresses via a request to get_realip.cgi or (2) firmware versions (ui and system), timestamp, serial number, p2p port number, and wifi status via a request to get_status.cgi.
CVE-2015-2793
PUBLISHED: 2019-11-21
Cross-site scripting (XSS) vulnerability in templates/openid-selector.tmpl in ikiwiki before 3.20150329 allows remote attackers to inject arbitrary web script or HTML via the openid_identifier parameter in a verify action to ikiwiki.cgi.