Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/10/2013
06:39 AM
John H. Sawyer
John H. Sawyer
Quick Hits
50%
50%

Creating And Maintaining A Custom Threat Profile

Threat intelligence is only useful if it's tailored to your specific organization. Here are some tips on how to customize

[The following is excerpted from "Creating and Maintaining a Custom Threat Profile," a new report posted this week on Dark Reading's Threat Intelligence Tech Center.]

Security researchers and vendors are developing a wealth of new data on threats and exploits in the wild. Organizations can tap into this data through the use of threat intelligence feeds, but all too often these feeds are served up in a generic fashion -- identical for all customers, no matter what their industry, size, location or other distinguishing characteristics.

What enterprises need is threat intelligence that is relevant and actionable, which requires not only a prioritization model but also deep knowledge of the systems and data that must be protected in the first place -- and at what cost.

There are numerous sources and types of threat intelligence feeds. Some are internally sourced, while others come from external third parties and are part of a subscription service.

The information available also varies widely based on the vendor providing the service. It may be directly downloadable into a security information and event management (SIEM) product, or it may come in the form of detailed reports that are harder to parse and act on immediately. In any case, the purpose is the same: to provide data that enables a company to make quick and informed decisions about threats against their assets.

It's important to keep in mind that not all threat intelligence feeds are created equal. The average feed will include reputation-based data such as known bad IP addresses, domain names, spam sources and active attackers. That information may be simply a regurgitation of data a vendor received from another source, or a vendor may vet the data to ensure its accuracy before providing it to customers. Clearly, the latter is the preferred model.

And not all intelligence comes in for the form of a "feed." Detailed threat reports are valuable for learning more about specific attacker groups or types of attacks. These reports come in either a long, detailed document form for investigators or in an executive summary-style format for getting management up to speed on active threats. The detailed versions can include identifiable characteristics for determining if particular attacker groups have compromised systems, but they need to be read in detail and parsed for information that is actionable.

Another distinguishing factor is the degree to which intelligence data is tailored to the customer. Some intelligence feeds come as a generic set of information that is delivered to all customers, regardless of their size or what industry they are in. Depending on the vendor, there may be options for customizing data based on industry and technologies in use by the customer.

Joe Magee, CTO of threat intelligence services provider Vigilant, explained to Dark Reading that it's often this value-added prefiltering, validation and customization of information that sets vendors apart. Instead of simply providing a data feed, a provider should work closely with customers to determine what intelligence data is important, customize what is delivered and ensure that it's integrated into the customer's security information and event management (SIEM) system, Magee says. The SIEM itself can be on site at the customer's facility and managed remotely, or part of its cloud-based service.

One very big problem that many companies face is that they don't fully understand the threats against their organizations. Creating a threat profile is a key step in understanding what threats a company faces and the potential impact if an attack were to be successful. A threat profile can also help companies prioritize resources in order to successfully defend sensitive data.

To learn more about how to build a customized threat profile -- and how to use it to prioritize security tasks and measure security risk -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sspinola21ct
50%
50%
sspinola21ct,
User Rank: Apprentice
10/16/2013 | 7:09:17 PM
re: Creating And Maintaining A Custom Threat Profile
Great article John. Of course, threat feeds cost money, and gaining relevant and actionable intelligence from them is difficult and time-consuming (for the reasons you state and more) so security teams have a hard time proving their value as it is. Customized feeds will cost even more, so pitching management on them may be a hard sell. One way to gain additional value from the feeds you already have is to combine them with other data you already collect (such as NetFlow and HTTP metadata) to see not only connections to known bad IP addresses identified in the feeds, but also the before, the after, and any contextual behaviors that ultimately show you information well beyond the original threat feed. This approach reduces time-to-detection and remediation (and thus increases the business value of the feeds). That could provide the ammunition an organizations needs to encourage management to "upgrade" to more customized feeds.
anon6368133649
50%
50%
anon6368133649,
User Rank: Apprentice
10/10/2013 | 4:12:33 PM
re: Creating And Maintaining A Custom Threat Profile
Thanks for the great read! However, the link to the free report seems incomplete.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...