Threat intelligence: A blessing and a curse?
Access to timely and accurate threat intelligence is now core to security operations for many organizations. Today, it seems that security teams are blessed with an abundance of data and intelligence feeds to choose from. However, selecting the right information from a myriad of sources and transforming it into action is, for many, a formidable challenge, and for some probably a curse.
It requires a careful balance between collecting enough information to be comprehensive, while at the same time, focusing on what’s specifically relevant to your own organization’s environment and infrastructure. Too much, or superfluous data, will overload security analysts as they waste time sifting through vast amounts of unnecessary information. Too little, on the other hand, could have dire consequences if something vital is missing. Add to this the significant time and expertise that goes into consolidating all the disparate data sources into a standardized, actionable format, and the whole process places an immense strain on security departments and resources.
It’s an area crying out for automation, and this is where today’s modern threat intelligence platforms (TIPs) are aiming to fit in. They promise to deliver a level of sophistication and speed that will virtually eliminate manual assimilation of data, freeing up security analysts to focus on improving defenses and working with their partner organizations.
Aside from much-needed data crunching, automation could also bring other advantages in the fight against threat actors by enabling easier and faster sharing of intelligence, both internally and externally.
Data crunching drudgery
To start off, data assimilation and enablement bring welcome time savings, as automated platforms can process vast amounts of data in minutes and hours, much more quickly and accurately than employees doing it manually.
Typically, security teams gather large amounts of threat intelligence from multiple places in different and incompatible formats. Correlating such huge amounts of disparate information is laborious work for analysts and mistakes can be made, especially when under pressure to meet remediation timelines.
Automation takes the drudgery out of importing data from an extensive range of sources, including internal logs, open-source feeds, and threat intelligence feeds. Whether it’s structured or unstructured, a threat intelligence platform (TIP) normalizes the data, enriches it with additional context, then correlates and converts it into a standard format.
Aside from saving time and avoiding errors, standardization brings other benefits: it enables easy integration of the data into an existing, enterprise-wide security infrastructure, as well as tools.
Enterprise-wide intelligence sharing
With automation, intelligence can be shared efficiently across an entire organization, removing silos, and enabling access to the most up-to-date data. This helps turn unrelated pieces of threat data and knowledge, scattered across departments and locations, into actionable insights. Also, these joined-up threat intelligence capabilities can be scaled quickly, whether to meet growth, or encompass mergers and acquisitions, or address new vulnerabilities and forms of cyberattack.
In the past, this lack of access to security information has often stymied the collective understanding of threats to the detriment of overall security. By enabling collaboration, individuals can put their heads together to devise and share the most effective defensive measures.
Concentrating on the right priorities
Having assimilated relevant data from internal and external sources, a TIP enables security teams
to assess the severity and relevance of threats according to their own internal predefined criteria.
Instead of being distracted by redundant and irrelevant IOCs, security analysts can focus on the most critical and urgent remediation. Automation does the hard work, processing and prioritizing data, leaving security teams to set out the parameters according to their organization’s security posture, compliance obligations, and internal governance standards.
It brings consistency to the process, quickly distinguishing what’s important, thus shortening the time to detect and respond to dangerous threats, highlighting where security practices should be improved, and where additional resources should be allocated to help security budgeting and planning.
Extending collaboration externally
Beyond number crunching and prioritization of threats, a modern TIP has another trick up its sleeve to help in the battle against threat actors: it facilitates the bi-directional exchange of intelligence. Vital threat intelligence and remediation can be quickly shared with government agencies, security communities, and industry associations, giving cybercriminals less of a window to proliferate attacks.
With threat actors collaborating more than ever before through cybercrime forums on the dark web and offerings such as ransomware-as-a-service, the likelihood is that the scale and sophistication of cyberattacks will continue to grow. The Five Families group is just one example of another new development involving hacking gangs pooling their knowledge to form a syndicate to orchestrate larger-scale cybercrime campaigns. But if sharing intelligence via TIPs becomes best practice for all organizations, malicious actors like these will find it increasingly hard to exploit new victims.
Moving to a threat driven enterprise
Cybersecurity is a global challenge. Critical threat intelligence shouldn’t be imprisoned within organizations, leaving bad actors at liberty to carry out further attacks using similar tactics. The take up of TIPs, with bi-directional feedback, would support the positive trend towards a more dynamic and collaborative approach to criminal activity, enhancing the ability of every security team to pre-emptively counteract cyber threats before they cause damage.
TIPs have the capability to provide intelligence that is highly relevant to an organization’s specific industry, threat landscape, and operational context, enabling precise threat detection and response. And when everyone is prepared to take the next step forward and share lessons learned with like-minded communities, the collective defenses of all those participating will be strenghtened.