Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Using History to Overcome the Challenge of Threat Intelligence Data Overload

Applying Unfiltered Threat Intelligence to Defenses Generates Significant False Positives

Applying Unfiltered Threat Intelligence to Defenses Generates Significant False Positives

Spanish philosopher, George Santayana said, “Those who do not remember the past are condemned to repeat it.” If you’re reading this article then it’s likely you remember the early days of network security, when network teams relied on firewalls to handle emerging security requirements and the focus was on basic blocking and tackling. We soon started to experience the overwhelming management challenge of navigating logs with too much data to sort through to find real threats, but we did our best to keep up. 

As threats continued to evolve, we added more layers of security like intrusion detection and prevention and antivirus. With additional point solutions, fragmentation proliferated and the data and noise level magnified – along with false positives that plagued the industry. Over the next few years the market continued to mature and security became a discipline in its own right. Companies formed teams of security experts and new technologies emerged to provide context, automate certain aspects and prioritize action within the environment. More recently, we’ve started to see a movement towards integration and consolidation to reduce complexity and facilitate automation. But since these efforts are mostly vendor-centric, they often come at the expense of easily incorporating truly best-of-breed point solutions into your security infrastructure.

History is now repeating itself with threat intelligence at a similar inflection point – too much data and too many false positives. As organizations hone in on threat intelligence as a cornerstone to their security posture, they are creating their own Security Operations Centers, incident response capabilities and threat intelligence teams. These experts are seeking ways to use threat intelligence to understand and act upon the highest priority threats facing their organization. The challenge is they have multiple data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors – each in a different format. On top of that, each point product within their layers of defense has its own intelligence. Lacking the tools and insights to automatically sift through mountains of data, it just becomes noise. Forging ahead and trying to apply unfiltered threat intelligence to our defenses generates significant false positives.

Harnessing the power embedded in disparate sources of threat data requires aggregating massive volumes of data in a central repository, and translating it into a uniform format for analysis and action. You then need to augment and enrich it with additional internal and external threat and event data. By correlating events and associated indicators from inside your environment with external data on indicators, adversaries and their methods, you gain additional and critical context and relevance so that you can prioritize threats to your organization.

As we have learned from the evolution of network security, integration, context and prioritization is what will allow us to get more from our existing security investments and operationalize security. In the case of threat intelligence, integration done right will allow you to act on threat intelligence efficiently and effectively using your existing security tools and services. This includes, but is not limited to, SIEMs, log repositories, ticketing systems, incident response platforms, and orchestration and automation tools. Integration that is open and extensible so that it can be truly vendor-agnostic allows you to unlock the full potential of your curated threat intelligence to address the threats the matter most to your organization quickly. 

The lessons we’ve learned from network security around the challenges of fragmentation; the importance of context, automation and prioritization; and the caveats around integration can be applied to the evolution of threat intelligence. By seeing the parallels and applying them swiftly we can get on a faster path toward sharing intelligence, integrating defenses and coordinating response across all resources and the entire security infrastructure. Only then have we realized the benefits of operationalizing threat intelligence – improving security posture and reducing the window of exposure to breach.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

Secure browser firm Conceal has appointed Eric Cornelius as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.