It’s Important to Enrich External Threat Intelligence With Context to Understand the Who, What, Where, When, Why and How of an Attack
In cybersecurity, we tend to focus on technology to solve all our challenges and sometimes lose sight of the importance of people. For four years now I’ve talked about empowering the human element, a theme which was showcased at RSA Conference last month. As I walked the floor, listened to sessions and spoke to attendees, I was struck by the newfound appreciation for and recognition of the need to better enable the interplay between humans and technology as we strive to strengthen defenses. It’s a topic near and dear to my heart and reminded me of two stories.
This first is one I’ve written about before. It’s the story of Captain Chelsey “Sully” Sullenberg who famously made an emergency landing of US Airways Flight 1549 on the Hudson River, saving all 155 souls onboard. When technology was telling him to pull up and try to reach an airport, the results would have been disastrous had he simply listened. Instead, his intelligence, intuition and 29 years of experience as a commercial pilot kicked in. Informed by data, Sully was able to make the right series of decisions at the time to land the plane safely in the river.
The second story is from a post I saw on LinkedIn a few weeks ago that reinforced the essential role human intelligence plays in data analysis and decision making. Coincidentally also related to planes, the post described how when Allied planes returned from battle after encountering Nazi anti-aircraft fire in World War II, the initial plan was to reinforce the areas of the planes that received the most bullet holes. It was mathematician Abraham Wald who pointed out that those were the areas strong enough to survive multiple hits and allow the planes to return home safely. The focus should be on reinforcing the areas that had no bullet holes as those were the areas that when hit caused planes to go down.
Both stories show the importance of having the right data to enable better decision making and actions. And sometimes that right data needs to be analyzed by a human. For those of us in cybersecurity it’s a reminder to get back to basics and empower teams for data analysis and decision making.
Getting back to basics starts with context. And how do you get context? A key source is threat intelligence. But this doesn’t necessarily mean you need more threat feeds. Most organizations typically have more threat feeds than they know what to do with from commercial sources, open source, government, industry and existing security vendors. In fact, much of this data is ignored because it’s difficult to discern what’s noise and what’s important. Some intelligence feed vendors provide “global” scores but, in fact, these can contribute to the noise since the score is not within the context of your company’s specific environment. To gain a deeper understanding of your adversaries, you need a platform to aggregate these millions of global threat data points and translate them into a uniform format for analysis and action.
Next, you need to ensure relevance by combining the data with internal threat and event data. Sources like security information and event management (SIEM) systems, log management repositories and case management systems contain events and associated indicators from inside your environment. Unfortunately, these systems aren’t being fully utilized because they are usually “owned” by different security teams that exist in silos – the Security Operations Center, incident response, risk management, vulnerability management, malware, network and more – which makes them difficult to access. With a platform that aggregates this data as well, you can enrich external threat intelligence with context to understand the who, what, where, when, why and how of an attack.
Up to this point, tools and technology are doing the time-consuming and tedious work of gathering and contextualizing the data. This frees up humans who can take on the next important task, analyzing and determining the right intelligence to focus on first and which can be kept as peripheral. With the ability to change risk scores and prioritize threat intelligence based on parameters you set around indicator source, type, attributes and context, as well as adversary attributes, you can filter out what’s noise for you.
It’s up to humans, guided by instinct, intelligence and experience, to determine the right data, so they can focus on what matters to the organization, make better decisions and take the right actions. It’s how Sully and Wald were able to mitigate risk, and it’s essential for security professionals too.