Applying Unfiltered Threat Intelligence to Defenses Generates Significant False Positives
Spanish philosopher, George Santayana said, “Those who do not remember the past are condemned to repeat it.” If you’re reading this article then it’s likely you remember the early days of network security, when network teams relied on firewalls to handle emerging security requirements and the focus was on basic blocking and tackling. We soon started to experience the overwhelming management challenge of navigating logs with too much data to sort through to find real threats, but we did our best to keep up.
As threats continued to evolve, we added more layers of security like intrusion detection and prevention and antivirus. With additional point solutions, fragmentation proliferated and the data and noise level magnified – along with false positives that plagued the industry. Over the next few years the market continued to mature and security became a discipline in its own right. Companies formed teams of security experts and new technologies emerged to provide context, automate certain aspects and prioritize action within the environment. More recently, we’ve started to see a movement towards integration and consolidation to reduce complexity and facilitate automation. But since these efforts are mostly vendor-centric, they often come at the expense of easily incorporating truly best-of-breed point solutions into your security infrastructure.
History is now repeating itself with threat intelligence at a similar inflection point – too much data and too many false positives. As organizations hone in on threat intelligence as a cornerstone to their security posture, they are creating their own Security Operations Centers, incident response capabilities and threat intelligence teams. These experts are seeking ways to use threat intelligence to understand and act upon the highest priority threats facing their organization. The challenge is they have multiple data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors – each in a different format. On top of that, each point product within their layers of defense has its own intelligence. Lacking the tools and insights to automatically sift through mountains of data, it just becomes noise. Forging ahead and trying to apply unfiltered threat intelligence to our defenses generates significant false positives.
Harnessing the power embedded in disparate sources of threat data requires aggregating massive volumes of data in a central repository, and translating it into a uniform format for analysis and action. You then need to augment and enrich it with additional internal and external threat and event data. By correlating events and associated indicators from inside your environment with external data on indicators, adversaries and their methods, you gain additional and critical context and relevance so that you can prioritize threats to your organization.
As we have learned from the evolution of network security, integration, context and prioritization is what will allow us to get more from our existing security investments and operationalize security. In the case of threat intelligence, integration done right will allow you to act on threat intelligence efficiently and effectively using your existing security tools and services. This includes, but is not limited to, SIEMs, log repositories, ticketing systems, incident response platforms, and orchestration and automation tools. Integration that is open and extensible so that it can be truly vendor-agnostic allows you to unlock the full potential of your curated threat intelligence to address the threats the matter most to your organization quickly.
The lessons we’ve learned from network security around the challenges of fragmentation; the importance of context, automation and prioritization; and the caveats around integration can be applied to the evolution of threat intelligence. By seeing the parallels and applying them swiftly we can get on a faster path toward sharing intelligence, integrating defenses and coordinating response across all resources and the entire security infrastructure. Only then have we realized the benefits of operationalizing threat intelligence – improving security posture and reducing the window of exposure to breach.