Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/2/2017
02:30 PM
Vikram Phatak
Vikram Phatak
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Getting Threat Intelligence Right

Are you thinking of implementing or expanding a threat intelligence program? These guidelines will help you succeed.

The array of startups in the threat intelligence market and the sheer volume of talk on the subject have enterprises racing to implement a solution. Many are placing big bets that subscribing to various threat intelligence offerings will enable them to spot threats faster and thereby minimize the damage and losses associated with security incidents.

This is a tall order, and high expectations have been set by the industry. So it's no surprise that threat intelligence already has a lot of tired and disillusioned followers, as I've discussed at length with CISOs and security practitioners over the past few months. From these conversations, I've concluded that what enterprises need most is a strategic plan to operationalize and automate security based upon actionable intelligence.

Unfortunately, enterprises are often advised that they need to add a lot of new, arbitrary information feeds and sources, regardless of the enterprise's operational maturity and resource constraints. Too often, the result is performance misfires coupled with a damaging loss of confidence in an approach meant to guide continuous improvement.

If you are considering implementing or expanding a threat intelligence program, here are a few principles that can increase the likelihood of success.

Define What You're Trying to Achieve 
What's the goal for your threat intelligence program? The primary purpose for threat intelligence is to accelerate incident response so that individual breaches are dealt with before they become full-blown incidents (which are far more costly). If this is your plan, then you need to know where the blind spots are. Can you gather the information you need from your security products?

For example, if your historical product selection was biased toward prevention rather than detection, you may not have the indicators of compromise (IOCs) or indicators of attacks (IOAs) required. You may be in a closed loop where "you don't know what you don't know," because by definition, if a security product failed to block an attack it's probably because it failed to see the attack. If not having visibility into what you missed is your problem, you may need to start by gaining visibility into your network before layering in third-party intelligence.

It's important to stay focused on the most urgent needs first, and effectively optimize the information being gathered. Once you've crossed that hurdle, you can start adding external threat data for correlation with your internal data sources. Small but concrete gains in collection and use are crucial signs of progress and usually prove whether you're on the right track to achieve your objectives.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Only Ingest What Your Systems Can Digest
It's tempting to grab every new threat intelligence feed and dashboard widget. However, if your team and security operations processes are consumed by taking in large volumes of information instead of acting on what they deliver, you're only magnifying the information-overload problem.

Getting to a better place isn't always about adding more resources. Focus instead on the platforms and other tools you use to share information. What formats do they support? How extensible are they? How can you gain value now and optimize operations with these tools today? Can relevant, contextual information be easily surfaced from the tools? Make sure you don't lose important contextual information in transit. For example, some products export full data directly to a CSV file but only deliver some of the contextual information via their API. Others export into PDFs that you will need to parse in order to use the data in an automated system.

Know Your Intelligence Consumers
You need to cater to your audience. These days, senior executives want security metrics (in return for increased security budgets) almost as often as network defenders want faster analysis of IOAs and IOCs. These are vastly different demands, so as the intelligence decision-maker you need to understand your audience. Who are they and what do they need most?

"Reports or It Didn't Happen"
Know in advance how you will measure success in a threat intelligence program — whether that means a few PowerPoint slides to please top executives or key performance indicators for the team. Otherwise, you risk losing perspective. Milestones that show progress are important ways to measure progress toward your objective.

Start with metrics that show how you're improving visibility into your environment, for example, or decreasing lag time in incident-response workflows. Those numbers are arguably the most important, because successful intelligence programs inform, fundamentally, by dispelling assumptions and uncertainty that traditionally plague security decision-making.

Threat intelligence now accounts for significant budget spend in many security operations centers. It holds significant promise, but it isn't a silver bullet. Good luck on your journey!

Related Content:

 

Vikram Phatak is Chief Executive Officer of NSS Labs, Inc. Vik is one of the information security industry's foremost thought leaders on vulnerability management and threat protection. With over 20 years of experience, he brings unique insight to the cybersecurity problems ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.