How to apply threat intelligence feeds to remediate threats
IT organizations are recognizing the value of threat intelligence feeds, and that’s good. Threat intelligence is a must-have for identifying malware and other threats that evade preventive security controls. But threat intelligence is only as good as how you apply it – and many organizations aren’t applying it in a way that enables them to get the full value.
The increasing number of threat intelligence companies is indicative of a growing market and proof that companies want threat intelligence. In a survey conducted by SANS, 75% of respondents said they find cyber threat intelligence important to security. Sixty-nine percent of respondents reported implementing threat intelligence in their IT environment.
The question then, is what are these organizations doing with it? Standalone threat intelligence providers deliver good information, but they don’t apply it to their customers’ environments. Threat intelligence platforms allow IT organizations to aggregate feeds and come up with a single source of data – but they don’t apply it, either. That leaves the task to the IT organizations that purchase them.
There are two common ways that IT organizations apply threat intelligence. The first is by entering it into a SIEM. This was the approach taken by 55% of the SANS survey respondents.
Unfortunately, feeding threat intelligence into a SIEM doesn’t tell you what’s happening on the network right now. These organizations are looking at activity that took place in the past and potentially missing infection indicators that weren’t relevant then but are relevant now. Furthermore, SIEMs struggle to do event correlation. You may have to wait 24 hours to see a correlation between events.
The other common way to leverage threat intelligence is by feeding it into an intrusion detection or prevention system. This is the approach taken by 54% of the SANS survey respondents. This method provides real-time analysis but results in a deluge of alerts. Security teams must spend two- to three hours analyzing each alert to determine whether it is a legitimate threat. According to a study from Ponemon Institute, 19% of all alerts are reliable and security teams only look at 4%.
Clearly, there’s a real need to have a way to apply threat intelligence without it just generating alerts. All the threat intelligence in the world isn’t useful unless you can apply it specifically to what’s happening in your environment in real time and profile the activity over time to give the threat intelligence context, meaning and applicability.
According to Forrester Analyst Rick Holland, “You may invest in external threat intelligence providers, but you will still need analysts to assimilate this third-party intelligence, fuse it with your own internally derived intelligence, and enrich it with unique knowledge of your business and its operations.”
Having knowledge of threat activity is only useful if you apply it to your environment in a manner that allows you to act on it – and actually remediate real threats. As you subscribe to threat intelligence feeds, be sure to consider how you’ll put the information to use within your current resource constraints.