Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/10/2013
06:39 AM
John H. Sawyer
John H. Sawyer
Quick Hits
50%
50%

Creating And Maintaining A Custom Threat Profile

Threat intelligence is only useful if it's tailored to your specific organization. Here are some tips on how to customize

[The following is excerpted from "Creating and Maintaining a Custom Threat Profile," a new report posted this week on Dark Reading's Threat Intelligence Tech Center.]

Security researchers and vendors are developing a wealth of new data on threats and exploits in the wild. Organizations can tap into this data through the use of threat intelligence feeds, but all too often these feeds are served up in a generic fashion -- identical for all customers, no matter what their industry, size, location or other distinguishing characteristics.

What enterprises need is threat intelligence that is relevant and actionable, which requires not only a prioritization model but also deep knowledge of the systems and data that must be protected in the first place -- and at what cost.

There are numerous sources and types of threat intelligence feeds. Some are internally sourced, while others come from external third parties and are part of a subscription service.

The information available also varies widely based on the vendor providing the service. It may be directly downloadable into a security information and event management (SIEM) product, or it may come in the form of detailed reports that are harder to parse and act on immediately. In any case, the purpose is the same: to provide data that enables a company to make quick and informed decisions about threats against their assets.

It's important to keep in mind that not all threat intelligence feeds are created equal. The average feed will include reputation-based data such as known bad IP addresses, domain names, spam sources and active attackers. That information may be simply a regurgitation of data a vendor received from another source, or a vendor may vet the data to ensure its accuracy before providing it to customers. Clearly, the latter is the preferred model.

And not all intelligence comes in for the form of a "feed." Detailed threat reports are valuable for learning more about specific attacker groups or types of attacks. These reports come in either a long, detailed document form for investigators or in an executive summary-style format for getting management up to speed on active threats. The detailed versions can include identifiable characteristics for determining if particular attacker groups have compromised systems, but they need to be read in detail and parsed for information that is actionable.

Another distinguishing factor is the degree to which intelligence data is tailored to the customer. Some intelligence feeds come as a generic set of information that is delivered to all customers, regardless of their size or what industry they are in. Depending on the vendor, there may be options for customizing data based on industry and technologies in use by the customer.

Joe Magee, CTO of threat intelligence services provider Vigilant, explained to Dark Reading that it's often this value-added prefiltering, validation and customization of information that sets vendors apart. Instead of simply providing a data feed, a provider should work closely with customers to determine what intelligence data is important, customize what is delivered and ensure that it's integrated into the customer's security information and event management (SIEM) system, Magee says. The SIEM itself can be on site at the customer's facility and managed remotely, or part of its cloud-based service.

One very big problem that many companies face is that they don't fully understand the threats against their organizations. Creating a threat profile is a key step in understanding what threats a company faces and the potential impact if an attack were to be successful. A threat profile can also help companies prioritize resources in order to successfully defend sensitive data.

To learn more about how to build a customized threat profile -- and how to use it to prioritize security tasks and measure security risk -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sspinola21ct
50%
50%
sspinola21ct,
User Rank: Apprentice
10/16/2013 | 7:09:17 PM
re: Creating And Maintaining A Custom Threat Profile
Great article John. Of course, threat feeds cost money, and gaining relevant and actionable intelligence from them is difficult and time-consuming (for the reasons you state and more) so security teams have a hard time proving their value as it is. Customized feeds will cost even more, so pitching management on them may be a hard sell. One way to gain additional value from the feeds you already have is to combine them with other data you already collect (such as NetFlow and HTTP metadata) to see not only connections to known bad IP addresses identified in the feeds, but also the before, the after, and any contextual behaviors that ultimately show you information well beyond the original threat feed. This approach reduces time-to-detection and remediation (and thus increases the business value of the feeds). That could provide the ammunition an organizations needs to encourage management to "upgrade" to more customized feeds.
anon6368133649
50%
50%
anon6368133649,
User Rank: Apprentice
10/10/2013 | 4:12:33 PM
re: Creating And Maintaining A Custom Threat Profile
Thanks for the great read! However, the link to the free report seems incomplete.
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Will This Be the Year of the Branded Cybercriminal?
Raveed Laeb, Product Manager at KELA,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3683
PUBLISHED: 2020-01-17
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and...
CVE-2019-3682
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
CVE-2019-17361
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
CVE-2019-19142
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.
CVE-2019-19801
PUBLISHED: 2020-01-17
In Gallagher Command Centre Server versions of v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an unprivileged but authenticated user is able to perform a backup of the Command Centre databases.