Security Experts:

Are You Getting the Most from Your Threat Intelligence Subscription?

The Value of Knowing More About Threats is Limited When it Cannot be Applied to Prevent Threats 

Thanks to how connected the Internet has made us all, including cyber attackers, stolen user credentials and easy to obtain, automated tools for conducting cyberattacks are available to anyone with a Bitcoin account. This has led to a rise in the number of network breaches and their financial impact. Last year, the Ponemon Institute reported an 82 percent increase in the cost of cyberattacks over the last six years. In light of this, organizations are looking to increase their knowledgebase of threat intelligence data to better equip their security teams with the latest information on new and existing attack methods and how to stop them.

Many organizations, in order to ensure they getting as much intel as possible, subscribe to multiple threat intelligence feeds and spend hundreds of thousands of dollars every year on subscription fees. But in the rush to sign up for the latest and greatest threat subscription, my guess is that most organizations don’t have a good plan for ensuring the information from their multiple feeds can be turned into new protections within their security devices, meaning the ROI for their subscription payments may be extremely low.

Threat Intelligence Feed

The value of knowing more about threats is limited when it cannot be actually applied to prevent threats. Not only his, but even when a solid plan exists for ingesting data into the system, it often requires additional headcount, layering on further cost and complexity.

Additionally, multiple subscriptions mean multiple daily threat updates, many of which may be redundant. These redundancies can lead to wasted time as security teams try to consolidate the information received from multiple sources into their existing security architecture. This consolidation is further complicated by the fact that different feeds often present their threat findings in different ways, forcing security teams to spend more time getting the feeds translated into a common format that can be used by their existing security infrastructure.

In an effort to be thorough and to limit their liability, most threat intelligence feeds tend to report each new cyberthreat as a serious security risk, which is simply not the case. In actuality, the vast majority of threats listed in a threat intelligence subscription’s daily report are common, commodity attacks that are already “known,” and can easily be dealt with by existing security systems. When all threats are classified as serious, security teams have little context to work from as they try to analyze inbound threats and triage them in order of risk potential. Further complicating the situation is the fact that with some slight changes to the malware, cyberattackers can make existing threats appear to be “new,” when in reality they are from the same malware family. For traditional feeds, even the slightest change would result in another alert, even though only the filename, hash, or some other easily changed variable has shifted.

In light of the problems mentioned above, I would encourage organizations using threat subscriptions to take a moment and ask themselves the following questions:

1. If using multiple threat subscriptions, does the security team know how much redundancy exists between them?

2. Is it easy to integrate the intelligence received from my subscriptions into my existing security infrastructure? Can the security team evaluate inbound threat intelligence and convert it into an actual security policy quickly and without the need for manual configuration?

3. Do my threat subscriptions provide enough information to put the severity of each threat in the proper context?

4. Does my threat subscription track cyberthreats specifically targeting my industry?

If the answer to any of these questions is no, then I would argue that a more in depth audit of current threat intelligence subscriptions needs to be conducted. In addition, I would also recommend organizations find out how they can automate the application of threat intelligence to their security architecture. This would allow most threats to be resolved in real time and without the need for slower, more costly human intervention.

Adding threat intelligence to your security posture is a strong solution for keeping a network protected against new and existing cyberthreats, but only if an organization takes the necessary steps to quickly and easily apply that intelligence to actual security policy.

Related Reading: Distinguishing Threat Intelligence From Threat Data

view counter
Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.