Tech Insight: Practical Threat Intelligence

The job of an enterprise security professional is getting more and more difficult as new devices and technologies are introduced into their networks -- often without the time to adequately prepare and put security controls in place. Being able to keep up with changing technology, emerging threats, and information overload that goes with managing thousands to tens of thousands systems requires proactive efforts on the part of security pros. While vendors will try to tell you differently, it's impossible to sit back and trust that security products put in place to stop malware, phishing attacks, and the dreaded APT are going to be a effective at keeping your data secure.

To adequately address the threats against their organizations, enterprise security pros need to understand exactly what they're trying to protect -- a seemingly innocent but burdensome task that requires them to know their systems and networks inside and out. Maximum visibility is critical and can be aided by centralized logging of all network devices, servers, workstations, and network applications. The stumbling block security teams face is that these logs, once collected, often go untouched -- a fact evidenced by the recent Verizon data breach investigation report that stated 84% of organizations had evidence in their logs but never detected the intrusion.

What are organizations supposed to do? Whether they realize it or not, security teams are being forced into developing threat intelligence operations to react quickly and mitigate new vulnerabilities as they crop up. The key is that they turn their knowledge of their internal systems, what they must protect, and current threats into actionable intelligence so they aren't scrambling to patch vulnerabilities that don’t affect their critical systems or are already mitigated by existing security controls.

One of the best sources of threat information is right under security teams' noses. The very logs they preach need to be collected hold a wealth of information. Often, the simplest way is to mine it is to write scripts that perform some type of basic analysis on the log data each day, sometimes as often as hourly, to produce reports about failed logins, port scans, top IDS events, and more. The reports translate into internal threat intelligence that can be used to identify areas of high risk to compromise, targets within the network whose defenses may need to be increased, or possibly already compromised user accounts or systems within the network.

Many sources of information can feed into internal threat intelligence, and it's important that as many as possible are included to get a clear picture. Logs from firewalls, intrusion detection systems, and network flow data can be used to identify top attackers and top targeted systems within the network. Content security gateways monitoring Web and e-mail traffic can help identify a user who is being targeted as part of a phishing campaign, or users who engage in risky online behavior that could lead to a malware infection. Likewise, antivirus logs can reveal problematic users more prone to infections or servers that may be under attack or are already compromised.

Unfortunately, the sheer volume of log data tends to overwhelm most enterprises, which is why the data often goes unanalyzed. Security information and event management (SIEM) solutions are designed to help alleviate this issue by analyzing and correlating the data to produce actionable intelligence. While scripts can be written to pull out basic statistics, SIEMs go above and beyond by being able to correlate trends in historical data, making it easier to see things such as when new hosts show up on the network for the first time, when a host starts transmitting more data than what is typical, or when a system starts acting as a Web server when it is typically a user's workstation.

SIEMs also provide all sorts of other features, including searching capabilities, informational dashboards, and detailed reporting. They are great tools, but there's typically a hefty price tag that goes along with them that companies should be aware of before deciding to head down that path.

Knowing what to protect, what's going on within the network, and who's attacking you is great, but it's only half the picture. There is a huge wealth of knowledge available through external threat intelligence resources that include sites like the SANS Internet Storm Center, Shadow Server, and McAfee Threat Intelligence Center. Information is also shared through IRC channels, mailing lists, and online forums. The double-edged sword of all this free information is that it takes time to collect and distill into what's relevant to protect enterprise's IT resources. To deal with the problem, security teams will often take one of two approaches, sometimes combining both when it makes sense.

The first approach is to assign the task of collecting external threat intelligence to one or more individuals on the security team. One member may be tasked with monitoring information specifically related to server technologies that the organization's critical applications. Another team member may be tasked solely with the topic of desktop applications and Microsoft patches. Other members may be looking specifically at emerging threats including new attacks, vulnerabilities, and malware that could affect corporate systems.

Unfortunately, the collection of external threat intelligence in this manner is a manual process requiring time each day for the team members to read the latest information and decide whether it's pertinent to the company's environment. Just like log monitoring, this process can easily fall to the wayside because it can be time-consuming. This is why the second approach is favorable for busy teams.

Security teams without the manpower to do the external threat intelligence-gathering themselves can opt to subscribe to service offerings from companies like Dell SecureWorks and VeriSign iDefense. These services offer information about the latest threats, vulnerabilities, security advisories, attackers, and malware. Depending on the vendor, the information can be tailored to fit a particular organizations environment so there's no extraneous information to weed through.

A big benefit to subscribing to manage service like this, besides eliminating the manual process of scouring the Internet for information, is that these service providers often have a better understanding of what's going on globally as opposed to just the network underneath the security team's purview.

In the end, the enterprise security team's goal needs to take advantage of internal and external threat intelligence sources to proactively protect and secure its networks while enabling them to react faster to security incidents.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.