Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Threat Intelligence

Tackling the Challenge of Actionable Intelligence Through Context

Making threat intelligence actionable requires more than automation; it also requires contextualization and prioritization.

AI Powered Cyberattacks

Recognition of the importance of threat intelligence has been building for years. But it has taken center stage as the acceleration of digital transformation and the shift to hybrid work models have expanded the attack surface, and geopolitical events have raised the stakes for defenders to protect critical infrastructure and sensitive data. Government leaders are pointing to threat intelligence sharing and best practices as key components that have helped strengthen cybersecurity and mitigate the impact of cyberwarfare.  

Recent surveys corroborate the value organizations place on threat intelligence, but also reveal challenges in making threat intelligence actionable. Based on discussions with 1,350 business and IT leaders, Mandiant’s Global Perspectives on Threat Intelligence report (PDF) finds that while nearly all (96%) respondents are satisfied with the quality of their threat intelligence, 47% struggle to apply threat intel throughout the security organization and 70% say at least a majority of the time they make decisions without adversary insights.

Automation can help make threat intelligence actionable. But making threat intelligence actionable requires more than automation; it also requires contextualization and prioritization, so that you are automating and taking action on the right data at the right time. To understand this better, let’s dig deeper into what respondents to the CRA study cite as their top use case for threat intelligence: vulnerability management.

The number of Common Vulnerabilities and Exposures (CVEs) climbed to 25,227 in 2022. However, at any given time only a small fraction of existing vulnerabilities is actively exploited or exploitable. And for any given organization, only a fraction of those vulnerabilities is utilized by threat actors and campaigns that may target that organization. So, how do you know what to focus on for your organization?

Imagine a Venn diagram where vulnerability management is one circle and intelligence from both internal and external sources for context is a second circle. The area of overlap is your area of risk and where you can prioritize vulnerabilities based on that context. It logically follows that you can also use context to prioritize mitigation, so you can optimize vulnerability management workflows and achieve the best outcomes for your organization.

In this case, context comes from information about the number of assets that are vulnerable, their criticality to the organization, if they are protected, if the vulnerability is being actively exploited, if threat actors are targeting your specific industry or region, and if indicators of compromise (IoCs) have been seen in your environment. These elements help you understand the likelihood of the vulnerability being exploited in your environment. External data on CVEs, indicators, adversaries and their methods, helps you understand the consequences of a vulnerability. When you aggregate and correlate internal context with external threat intelligence, you can prioritize vulnerabilities automatically based on parameters you set so the organization can take the right actions at the right time.

For example, you might determine that a vulnerability needs to be addressed immediately because there are sightings of IoCs in your environment and the vulnerability is known to be actively exploited by threat actors targeting your specific industry or region. Or you may find that the vulnerability is not relevant to your industry and therefore less of a priority, but you still may decide to patch based on your risk profile. Or you may find the vulnerability is not being actively exploited so it doesn’t make sense to patch it now or initiate compensating controls, although you may continue to watch it.

Advertisement. Scroll to continue reading.

In the absence of context, you could be patching vulnerabilities that are not being exploited actively, are low in priority or, even worse, patching something that negatively impacts operations. Threat intelligence can only be actionable with context and automation. And when used in combination will enable you to apply threat intelligence to achieve the best outcome for your organization. In this case, a shrinking list of vulnerable assets and a stronger secure posture, faster.

Related: Removing the Barriers to Security Automation Implementation

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Cybercrime

The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse.

Threat Intelligence

A new research report discusses the five most exploited vulnerabilities of 2022, and the five key risks that security teams should consider.