Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/10/2013
06:39 AM
John H. Sawyer
John H. Sawyer
Quick Hits
50%
50%

Creating And Maintaining A Custom Threat Profile

Threat intelligence is only useful if it's tailored to your specific organization. Here are some tips on how to customize

[The following is excerpted from "Creating and Maintaining a Custom Threat Profile," a new report posted this week on Dark Reading's Threat Intelligence Tech Center.]

Security researchers and vendors are developing a wealth of new data on threats and exploits in the wild. Organizations can tap into this data through the use of threat intelligence feeds, but all too often these feeds are served up in a generic fashion -- identical for all customers, no matter what their industry, size, location or other distinguishing characteristics.

What enterprises need is threat intelligence that is relevant and actionable, which requires not only a prioritization model but also deep knowledge of the systems and data that must be protected in the first place -- and at what cost.

There are numerous sources and types of threat intelligence feeds. Some are internally sourced, while others come from external third parties and are part of a subscription service.

The information available also varies widely based on the vendor providing the service. It may be directly downloadable into a security information and event management (SIEM) product, or it may come in the form of detailed reports that are harder to parse and act on immediately. In any case, the purpose is the same: to provide data that enables a company to make quick and informed decisions about threats against their assets.

It's important to keep in mind that not all threat intelligence feeds are created equal. The average feed will include reputation-based data such as known bad IP addresses, domain names, spam sources and active attackers. That information may be simply a regurgitation of data a vendor received from another source, or a vendor may vet the data to ensure its accuracy before providing it to customers. Clearly, the latter is the preferred model.

And not all intelligence comes in for the form of a "feed." Detailed threat reports are valuable for learning more about specific attacker groups or types of attacks. These reports come in either a long, detailed document form for investigators or in an executive summary-style format for getting management up to speed on active threats. The detailed versions can include identifiable characteristics for determining if particular attacker groups have compromised systems, but they need to be read in detail and parsed for information that is actionable.

Another distinguishing factor is the degree to which intelligence data is tailored to the customer. Some intelligence feeds come as a generic set of information that is delivered to all customers, regardless of their size or what industry they are in. Depending on the vendor, there may be options for customizing data based on industry and technologies in use by the customer.

Joe Magee, CTO of threat intelligence services provider Vigilant, explained to Dark Reading that it's often this value-added prefiltering, validation and customization of information that sets vendors apart. Instead of simply providing a data feed, a provider should work closely with customers to determine what intelligence data is important, customize what is delivered and ensure that it's integrated into the customer's security information and event management (SIEM) system, Magee says. The SIEM itself can be on site at the customer's facility and managed remotely, or part of its cloud-based service.

One very big problem that many companies face is that they don't fully understand the threats against their organizations. Creating a threat profile is a key step in understanding what threats a company faces and the potential impact if an attack were to be successful. A threat profile can also help companies prioritize resources in order to successfully defend sensitive data.

To learn more about how to build a customized threat profile -- and how to use it to prioritize security tasks and measure security risk -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sspinola21ct
50%
50%
sspinola21ct,
User Rank: Apprentice
10/16/2013 | 7:09:17 PM
re: Creating And Maintaining A Custom Threat Profile
Great article John. Of course, threat feeds cost money, and gaining relevant and actionable intelligence from them is difficult and time-consuming (for the reasons you state and more) so security teams have a hard time proving their value as it is. Customized feeds will cost even more, so pitching management on them may be a hard sell. One way to gain additional value from the feeds you already have is to combine them with other data you already collect (such as NetFlow and HTTP metadata) to see not only connections to known bad IP addresses identified in the feeds, but also the before, the after, and any contextual behaviors that ultimately show you information well beyond the original threat feed. This approach reduces time-to-detection and remediation (and thus increases the business value of the feeds). That could provide the ammunition an organizations needs to encourage management to "upgrade" to more customized feeds.
anon6368133649
50%
50%
anon6368133649,
User Rank: Apprentice
10/10/2013 | 4:12:33 PM
re: Creating And Maintaining A Custom Threat Profile
Thanks for the great read! However, the link to the free report seems incomplete.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.