Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Threat Intelligence: Putting the Horse Before the Cart

Threat intelligence has received a lot of attention from the industry, ranging from vendors expanding their product portfolios and venture capitalists funding new start-ups to end user organizations looking for insights into advanced cyber-attacks that aren’t available from traditional perimeter defense tools. However, threat intelligence in and of itself is just another data source that adds to the complexity and velocity of having to analyze data in a manual fashion.

Threat intelligence has received a lot of attention from the industry, ranging from vendors expanding their product portfolios and venture capitalists funding new start-ups to end user organizations looking for insights into advanced cyber-attacks that aren’t available from traditional perimeter defense tools. However, threat intelligence in and of itself is just another data source that adds to the complexity and velocity of having to analyze data in a manual fashion.

In the first few weeks of 2016, a new round of data breaches at companies including NationBuilder, MacKeeper, Landry’s, Cottage Health, and Northwest Primary Care have made headlines. They illustrate how difficult it remains to identify risk indicators when cyber attackers, including their strategy, competences, and actions, are unknown. To overcome the inherent limitations of focusing on control gaps and vulnerabilities when performing cyber risk assessments, more and more organizations are turning to threat intelligence to enrich their security detection and response capabilities. Since a threat is the agent that takes advantage of a vulnerability, this relationship must be a key factor in the risk assessment process. It can no longer be treated as risk’s neglected step child.

Threat IntelligenceIn fact, advanced security operations teams leverage threat intelligence to gather insight into the capabilities, current activities, and plans of potential threat actors (e.g., hackers, organized criminal groups, or state-sponsored attackers) to anticipate current and future attacks. Sources range from government agencies (e.g., the National Terrorism Advisory System by the U.S. Department of Homeland Security, United States Computer Emergency Readiness Team) and industry information sharing forums (e.g., the Financial Services Information Sharing and Analysis Center, Red Sky Alliance) to commercial threat intelligence services that provide information about IT security threats, vulnerabilities, incidents, and other security-related issues.

Gartner predicts that by 2020, 25% of global enterprises will engage the services of a “cyberwar mercenary” organization, including threat intelligence services. However, organizations must recognize that subscribing to these services only increases the challenges associated with processing and extracting actionable information from security data, which in its raw form remains only a means to an end. Stand-alone threat intelligence services, just like silo-based security tools, only add to the volume, velocity, and complexity of data feeds that must be analyzed, normalized, and prioritized.

Unfortunately, the latter represents one of the biggest challenges in today’s fight against cyber-attacks. Traditional security tools are silo-based and require legions of staff to comb through the huge amount of data to connect the dots and find the needle in the haystack. The bitter truth is that the security industry has too few professionals to tackle these tasks. According to the Information Security Audit and Controls Association (ISACA) there are more than 1 million unfilled security jobs worldwide. Thus, it is not surprising that it takes on average eight months for an advanced threat to be detected in a victim’s network. Even for organizations that can afford a deep bench of security analysts, accumulating distributed data can take months, during which time attackers can exploit vulnerabilities and extract data.

Finally, threat intelligence has little value unless it is put into context of an organization’s security posture. Most don’t have the resources to apply the required logic to correlate external threat data with their internal security intelligence. This results in the underutilization of threat intelligence feeds or requires expensive outside consultants to perform the analysis.

Fortunately, new technologies that take a pro-active approach to cyber risk management are emerging to not only aggregate multiple threat intelligence feeds, but more importantly correlate external and internal security data with its business criticality or risk to the organization. This allows for increased operational efficiency and faster time-to-remediation without requiring expensive consulting services.

RelatedDistinguishing Threat Intelligence From Threat Data

Advertisement. Scroll to continue reading.
Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...