Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

The Value of Threat Intelligence is Clear, But Are You Capturing It All?

Take Relevance Into Account When Analyzing Threat Data

Take Relevance Into Account When Analyzing Threat Data

Parents are nervous. High school seniors are nervous. It’s that time of year again when college decision letters and emails start to arrive. We all know there’s tremendous value in education, and a college degree is a pre-requisite for many career paths. But which school is the best fit? Will your child get the most value possible from his or her college experience? 

For each student, what defines and drives value from the college experience is different. It may be studying in an environment where they feel comfortable and can thrive; attending a university that offers a major in a field they want to pursue; having an opportunity to play the sport they love and excel in; or any number and combination of factors. 

Likewise, we all know there is tremendous value in threat intelligence, and various factors come into play to create value. 

The recent SANS 2018 Cyber Threat Intelligence Survey (PDF) finds 81% of cybersecurity professionals affirm that threat intelligence is providing value and helping them do their jobs better. The millions of threat-focused data points available, the many sources of global threat data we subscribe to, and the internal threat and event data from our layers of defense and SIEMs provide a significant amount of threat intelligence. But are we capturing all the value we can to truly strengthen our defenses and accelerate detection and response?

As I’ve said before, not all threat intelligence is equal. Threat intelligence that is of value to your organization, may not be of value to another. How do you get the most value from your threat intelligence? It comes down to relevance, and that’s determined by your industry/geography, your environment and your skills/capabilities.

Industry/Geography. Threat data focused on attacks and vulnerabilities specific to your industry and geography is much more relevant than generic data that includes threats that target a specific sector and/or region you are not in. External threat feeds such as those from national/governmental Computer Emergency Response Teams (CERTs) and Information Sharing and Analysis Centers (ISACs) organized by industry, can prove useful. Complementing the data in your central repository with data from these types of sources can help reduce noise and allow you to focus on threats occurring locally in your sector.

Environment. Depending on your environment or infrastructure, some indicators are more relevant than others. For example, if your workforce is highly distributed and endpoint protection is key, hashes are important because they enable you to detect malicious files on those devices. On the network, domain names and IPs are more relevant indicators allowing you to track suspicious traffic. To get the most value from your threat intelligence, you need tools that aggregate indicators in a central repository and allow you to augment and enrich them with context, so that you can prioritize and focus on those that matter most to you.  

Advertisement. Scroll to continue reading.

Skills/Capabilities. The amount of skilled cybersecurity personnel you have in place also drives relevance. Larger organizations with more manpower have the resources to chase down threat data with two or even three degrees of separation (i.e., downstream IP addresses, domain registrants, etc). Whereas, organizations without those vast resources must be more selective, investigating only threat data that is active, targeting their industry or associated to known adversary sets. This is where automation and managed security services providers (MSSPs) can help to augment your existing staff and expertise. Automation can help aggregate millions of threat-focused data points into a central repository and translate it into a uniform format. It can also help overlay context by correlating external and internal threat data. You can apply automation to help filter out some of the noise, for example automatically prioritizing data based on parameters you set. MSSPs provide a menu of options – from serving as your entire team, to managing a specific aspect of your threat intelligence program, to providing high value and customized services like threat hunting or incident response.  

Every parent wants their child to get the most from their education and a lot of factors contribute to that outcome. Likewise, many factors contribute to the value that can be derived from threat intelligence. As you create your threat intelligence program, make sure you take relevance into account when analyzing threat data and you’ll be well on your way to capturing the full value of threat intelligence.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.