Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

Are You Getting the Most from Your Threat Intelligence Subscription?

The Value of Knowing More About Threats is Limited When it Cannot be Applied to Prevent Threats 

The Value of Knowing More About Threats is Limited When it Cannot be Applied to Prevent Threats 

Thanks to how connected the Internet has made us all, including cyber attackers, stolen user credentials and easy to obtain, automated tools for conducting cyberattacks are available to anyone with a Bitcoin account. This has led to a rise in the number of network breaches and their financial impact. Last year, the Ponemon Institute reported an 82 percent increase in the cost of cyberattacks over the last six years. In light of this, organizations are looking to increase their knowledgebase of threat intelligence data to better equip their security teams with the latest information on new and existing attack methods and how to stop them.

Many organizations, in order to ensure they getting as much intel as possible, subscribe to multiple threat intelligence feeds and spend hundreds of thousands of dollars every year on subscription fees. But in the rush to sign up for the latest and greatest threat subscription, my guess is that most organizations don’t have a good plan for ensuring the information from their multiple feeds can be turned into new protections within their security devices, meaning the ROI for their subscription payments may be extremely low.

Threat Intelligence Feed

The value of knowing more about threats is limited when it cannot be actually applied to prevent threats. Not only his, but even when a solid plan exists for ingesting data into the system, it often requires additional headcount, layering on further cost and complexity.

Additionally, multiple subscriptions mean multiple daily threat updates, many of which may be redundant. These redundancies can lead to wasted time as security teams try to consolidate the information received from multiple sources into their existing security architecture. This consolidation is further complicated by the fact that different feeds often present their threat findings in different ways, forcing security teams to spend more time getting the feeds translated into a common format that can be used by their existing security infrastructure.

In an effort to be thorough and to limit their liability, most threat intelligence feeds tend to report each new cyberthreat as a serious security risk, which is simply not the case. In actuality, the vast majority of threats listed in a threat intelligence subscription’s daily report are common, commodity attacks that are already “known,” and can easily be dealt with by existing security systems. When all threats are classified as serious, security teams have little context to work from as they try to analyze inbound threats and triage them in order of risk potential. Further complicating the situation is the fact that with some slight changes to the malware, cyberattackers can make existing threats appear to be “new,” when in reality they are from the same malware family. For traditional feeds, even the slightest change would result in another alert, even though only the filename, hash, or some other easily changed variable has shifted.

In light of the problems mentioned above, I would encourage organizations using threat subscriptions to take a moment and ask themselves the following questions:

1. If using multiple threat subscriptions, does the security team know how much redundancy exists between them?

2. Is it easy to integrate the intelligence received from my subscriptions into my existing security infrastructure? Can the security team evaluate inbound threat intelligence and convert it into an actual security policy quickly and without the need for manual configuration?

3. Do my threat subscriptions provide enough information to put the severity of each threat in the proper context?

4. Does my threat subscription track cyberthreats specifically targeting my industry?

If the answer to any of these questions is no, then I would argue that a more in depth audit of current threat intelligence subscriptions needs to be conducted. In addition, I would also recommend organizations find out how they can automate the application of threat intelligence to their security architecture. This would allow most threats to be resolved in real time and without the need for slower, more costly human intervention.

Adding threat intelligence to your security posture is a strong solution for keeping a network protected against new and existing cyberthreats, but only if an organization takes the necessary steps to quickly and easily apply that intelligence to actual security policy.

Related Reading: Distinguishing Threat Intelligence From Threat Data

Written By

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Cybercrime

Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Threat Intelligence

Enhancing cybersecurity and compliance programs with actionable intelligence that adds insight can easily justify the investment and growth of threat intelligence programs.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Management & Strategy

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) have released...