The Value of Threat Intelligence Comes Down to Relevance and Accessibility
I’m amazed by the advancements in medicine for better diagnostics and treatment that are becoming almost common place. From DNA swab tests to see which drugs will be most effective for an individual patient, to targeted gene therapy and immunotherapy that tailor treatments accordingly. Medical centers now have programs dedicated to individualized medicine and there’s an entire field called “pharmacogenic testing” to determine the right drug at the right dose at the right time.
I hope this approach of data-driven, customized treatments will make its way more broadly into the field of security. Many CISOs I speak with are growing weary of searching for the next “silver bullet” security technology or another threat feed to improve their security posture. Clearly, this approach hasn’t worked as the velocity of attacks increases and the cost of a data breach continues to rise – from $3.86 million last year to $3.92 million in 2019, according to the 2019 Ponemon Cost of a Data Breach Study.
One newer area of investment aimed at accelerating response and mitigating risk is Security Orchestration, Automation and Response (SOAR) tools, specifically playbooks. Playbooks are good for automating known processes when you have high confidence in the data being used and the decisions that need to be made. Unfortunately, the confidence level for full automation is not there most of the time. Why? Data, especially with the increasingly large data sets we use, can be extremely noisy. If you start automating noise, the result will be amplified noise.
Security operations – teams, tools and processes – become more efficient and effective when decisions and actions are based on the right data. So how can you ensure you have the right data? Not all threat intelligence is equal: threat intelligence that is of value to your organization, may not be of value to another. Value comes down to relevance and accessibility, which requires curation into a customized enrichment source, aggregating data filtered by a range of factors, including:
Industry/Geography – Threat feeds focused on attacks and vulnerabilities specific to your industry and geography are much more relevant than generic data that include threats that target a specific sector and/or region you are not in.
Internal threat and event data – An often-overlooked source of threat intelligence is data housed within various systems and tools across your organization, including the security information and event management (SIEM) system, log management repository, case management systems and security infrastructure.
Environment – Depending on your environment, some indicators are more relevant than others. For example, if your workforce is highly distributed and endpoint protection is key, hashes are important because they enable you to detect malicious files on those devices. On the network, domain names and IPs are more relevant indicators allowing you to track suspicious traffic.
Ecosystem – Threat feeds relevant to third parties your organization works with may alert you to adversaries and campaigns that may be actively targeting them and then, in turn, can potentially infiltrate your organization.
Risk profile – The level of risk each organization is willing to assume also varies. Assigning risk scores to threat feeds based on parameters you set helps to filter out the noise so you can act quickly upon the most relevant threats facing your organization.
Customized enrichment sources are foundational to the top use cases security professionals are focused on today. Aggregating and correlating all this data provides context, which is critical to understanding the who, what, where, when, why and how of an attack. And by using the same database for multiple use cases, teams have the benefit of sharing learnings automatically and immediately.
With the ability to analyze intelligence, understand relevance and collaborate, you can begin to prioritize what use case to focus on next – spear phishing, threat hunting, fraud detection, vulnerability management, or incident response. Whether the use case points you to technology for case management, ticketing, log management, SIEM, detection and prevention, vulnerability scanning, or SOAR tools, curated intelligence will allow these technologies to perform as promised, and help security teams make decisions and take action with greater confidence.
The medical community is seeing tremendous gains through individualized diagnostics and treatment. It’s time we customize our enrichment sources so we can customize defenses and better treat what ails us.