My good friend and (full disclosure) ThreatQuotient Board member, Marty Roesch, once said in a meeting, “Complexity is the enemy of security.” Not sure if he was the first to say it or was quoting someone else, but it stuck with me. It is a simple statement and one that is proven true time and time again.
In my last article I talked about how defense-in-depth – layering defenses so that if one does not work, another layer is there to stop the attack – has failed us. This stems from the fact that each layer of defense has been a point product – a disparate technology that has its own intelligence and works within its own silo, creating fragmentation. Since fragmentation creates complexity, it stands to reason that to combat the enemy and improve security we need to reduce fragmentation. But how can you “unfragment” something that is already out there in many pieces? The best way may be to find the glue to put things together. It turns out that threat intelligence can be the best glue to integrate layers of point products within a defense-in-depth strategy and reduce fragmentation.
But fragmentation isn’t just a problem with defense-in-depth. You also see it in your external threat intelligence feeds and across the different teams involved in maintaining your security posture. Let’s take a closer look at the fragmentation that exists in these areas and how threat intelligence can help.
A study by Carnegie Mellon University analyzed the blacklist ecosystem over an 18-month period and found that the contents of blacklists generally do not overlap. In fact, of the 123 lists (which each included anywhere from under 1,000 to over 50 million indicators) most indicators appeared only on a single list. No wonder there’s a huge data overload problem! The report goes on to say, “our results suggest that available blacklists present an incomplete and fragmented picture of the malicious infrastructure on the Internet, and practitioners should be aware of that insight.” Verizon’s 2015 Data Breach Investigations Report came to a similar conclusion and notes that “there is a need for companies to be able to apply their threat intelligence to their environment in smarter ways.”
Typically, in an attempt to get the best coverage as they build their threat operations, most organizations are forced to use multiple data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors – each in a different format. Lacking the tools and insights to automatically sift through mountains of disparate global data and aggregate it for analysis and action, the data remains fragmented, often does not have context and just becomes more noise. The path to threat intelligence begins with aggregating that external data into a threat intelligence platform (TIP).
However a TIP needs to go further than aggregation. It must also operationalize and apply that intelligence as the glue to reduce fragmentation. With global data (structured and unstructured) in one manageable location, it must be translated into a uniform format, and augmented and enriched with internal and external threat and event data. By correlating events and associated indicators from inside your environment with external data on indicators, adversaries and their methods, you gain additional and critical context to understand what is relevant and high-priority to your organization. Now you’re in a position to utilize that threat data, automatically exporting and distributing key intelligence across all the different layers of defense in depth to improve security posture and reduce the window of exposure and breach.
But what about the fragmentation across teams? The key here is to find a way to use that threat intelligence for better decisions and action – a challenge in siloed organizational structures. You might have a SOC, a network team, an incident response (IR) team and a malware team. Usually, they don’t work together, much less share information or intelligence. Forcing direct communication isn’t typically effective, so how do you get those teams to work together in a way that makes sense? If you can offer a single repository for all threat intelligence that is contextual and prioritized, you can foster much needed collaboration without them necessarily even knowing it. With the ability to add commentary and store data for longer periods of time, the repository can become a core component of their processes. As the different teams use and update this repository, there is instantaneous sharing of information across other teams, resulting in faster, more informed decisions.
To go a step further, integrating that repository into other existing systems – including, but not limited to SIEM, log repositories, ticketing systems, incident response platforms, orchestration and automation tools – will allow disparate teams to use the tools and interfaces they already know and trust and still benefit from and act on that intelligence. For example, the IR team uses forensics and case management tools. The malware team uses sandboxes. The SOC uses the SIEM. The network team uses network monitoring tools and firewalls. And this is just the beginning. By getting consistent intelligence directly from the repository that they have been working in and updating collectively, everyone operates from a single source of truth, reducing fragmentation and complexity so they can accelerate detection and response.
There’s no doubt that complexity is the enemy of security. But you can also do something about it. By enriching threat data from all your external and internal sources with context, relevance and prioritization, threat intelligence becomes the glue that reduces fragmentation across your security environment – the disparate internal systems, the various external feeds and the different teams. With less complexity, your existing teams working with their existing tools can keep your organization safer.