Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Gifts and Data – Personalization Brings Meaning

The holidays are now behind us and we’re getting back to our routines. As we do, we start putting to use all the gifts we’ve received from family, friends, colleagues and neighbors. Each year I’m impressed by the people who always seem to nail it and find the perfect thing. It’s as if they could read your mind. They know your interests and hobbies, perhaps your favorite teams and players.

The holidays are now behind us and we’re getting back to our routines. As we do, we start putting to use all the gifts we’ve received from family, friends, colleagues and neighbors. Each year I’m impressed by the people who always seem to nail it and find the perfect thing. It’s as if they could read your mind. They know your interests and hobbies, perhaps your favorite teams and players. They may have considered where you live – in a warm climate or cold, in the city or the suburbs. They remember your favorite color and may even add a monogram. The level of personalization is limitless, and the gift carries so much meaning.

Of course, there are the more generic gifts you receive as well. The lottery tickets from the white elephant exchange. A candle from a neighbor. Or a pair of socks from a great aunt. All useful items but usually received from someone who doesn’t know you as well or perhaps not at all. You definitely appreciate each and every present. But there’s a certain impact that a personalized gift makes. 

So, what does this have to do with threat intelligence? Just like gifts, personalization makes threat data more meaningful. There’s generic threat data that includes the signature updates we get from the defenses we use every day — our firewalls, intrusion detection and prevention tools, anti-virus, web and email gateways, and endpoint detection and response solutions. Updates to these tools provide protection against the “known bad” or background noise every organization faces, but they don’t consider the industry or geographies in which your business operates. It’s kind of like that generic pair of socks that serves a purpose, but doesn’t really reflect who you are or what you need or might be most interested in. 

There are also Open Source Intelligence (OSINT) sources that offer free threat data. These feeds can provide valuable insights, but they also include noise and can generate significant false positives if applied directly to your SIEM and security defenses. While this generic threat data lays the foundation for your threat operations program, limiting ourselves to these sources alone assumes that we all face the same adversaries and have the same appetite for risk. And we don’t.

The reality is that most of the risk organizations face tends to come from more targeted threats. Think about the recent wave of attacks on the energy sector, or targeted Business Email Compromise campaigns carefully crafted to look like the email is from a top executive in your organization. So, what can you do to mitigate risk from adversaries targeting your organization and infrastructure?

You need to increase the level of personalization to maximize the impact of threat data on your security operations and more effectively and efficiently protect your organization. There are several sources you can turn to.

Geographic and industry-specific data: These include national/governmental Computer Emergency Response Teams (CERTs) that develop and provide threat intelligence based both on a geography and industry so that organizations can understand and adapt to threats that are occurring locally in their specific sector. Information Sharing and Analysis Centers (ISACs) organized by industry can also prove useful as they disseminate to their members threat intelligence that concerns their sector.

Adversary and related data: Commercially available threat feeds provide updated threat data that cut across categories to get closer to the personalized type of threat data you need. For example identifying adversaries, their targets and their tools, techniques and procedures (TTPs) to help you know if you’re in their sights.

Advertisement. Scroll to continue reading.

Data based on your ecosystem: You can also filter threat data based on your supply chain and other third parties within your ecosystem. Mentions of their names, brands, or sectors may alert you to adversaries and campaigns that may be actively targeting them and then, in turn, can potentially infiltrate your organization.

A central repository can help you make sense of all these different threat feeds and intelligence sources by aggregating them for analysis and action. But you still can, and should, filter out the noise and cull the data further so that it is focused on you – your tools, infrastructure and risk profile. To do this you must add context to the data, so you can prioritize it. 

Your own layers of defense and/or SIEM provide a massive amount of log and event data, capturing everything that has happened within your environment. By correlating these events and associated indicators from inside your environment with external threat data, you gain additional and critical context to understand what is relevant and high-priority to your organization. You can send this curated threat intelligence directly to your sensor grid, including firewalls, IPS/IDS, routers, endpoint, and web and email security (in the case of spam) so all are synchronized and defending together. Based on your risk profile, you can act quickly upon the most relevant threats facing your organization to reduce risk now and in the future.

That personal touch makes all the difference. Next year, I’m going to try to bring that same touch to the presents I give. In the meantime, we’d all benefit from adding more personalization to our threat intelligence programs with data that is the most meaningful to our organizations.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture