Takeaways From the Gartner Threat Intelligence Market Guide

February 19, 2018 • Amanda McKeon

The research and advisory firm Gartner recently took a closer look at security threat intelligence, and published a comprehensive report with its findings. The Gartner “Market Guide for Security Threat Intelligence Products and Services” explains the different use cases for threat intelligence, makes recommendations for how best to implement it in your organization, and provides guidance on evaluating vendors.

In this episode of the Recorded Future podcast we are joined once again by Allan Liska, senior threat intelligence analyst at Recorded Future, to walk through some of the key takeaways from the Gartner report and to see how the report aligns with Allan’s experience.

To learn more, download your complimentary copy of Gartner’s “Market Guide for Security Threat Intelligence Products and Services.”

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, I’m Dave Bittner from the CyberWire. Welcome to episode 44 of the Recorded Future podcast. Thanks for joining us.

The research and advisory firm Gartner recently took a closer look at security threat intelligence and published a comprehensive report with their findings, the Gartner “Market Guide for Security Threat Intelligence Products and Services.”

The report explains the different use cases for threat intelligence, makes recommendations for how best to implement it in your organization, and provides guidance on evaluating vendors. In this episode of the Recorded Future podcast, I’m joined once again by Allan Liska, senior threat intelligence analyst at Recorded Future, to discuss some of the key takeaways from the Gartner report and to see how the report aligns with Allan’s experience. Stay with us.

Allan Liska:

I think the report does a good job of providing an overview of what we’re seeing, and what I’m seeing, with a lot of companies trying to implement threat intelligence. But more importantly, I feel like it’s capturing an evolving market. So, going from a static, report-based function to being more integrated into the security process and the business process within organizations. We’ve seen much more of that with threat intelligence, and that’s kind of what I like about the report, is that measure of the evolution of threat intelligence inside of organizations.

Dave Bittner:

Yeah, let’s start off … We’re going to work our way through this report, pull out some of their key findings, and see how that aligns with some of the things that you’re experiencing. But let’s start off with some definitions. This report defines threat intelligence, and also talks about the typical intelligence lifecycle. What’s your take on this? Do you think how they define threat intelligence aligns with what you’re seeing out there?

Allan Liska:

Yeah, yeah. Absolutely. They have a real nice, concise definition that intelligence is evidence-based, and it has to include the context around it. You and I have talked about this before — threat intelligence isn’t a list of indicators. You need to provide the context around it, so their general definition of threat intelligence is nice and succinct. And the fact that they have that intelligence lifecycle, that, to me, is really important because intelligence isn’t meant to be static. As information within the organization updates, your threat intelligence should reflect the updated information. As things change outside of your organization, your threat intelligence should adapt to those changes outside the organization, as well.

Dave Bittner:

It was also interesting to me that that lifecycle includes a feedback loop.

Allan Liska:

Yeah, absolutely. I think this is really important because there are certain … What I see is, two feedback loops working with a lot of different companies, or organizations, that have threat intelligence. There is, of course, the internal feedback loop, and that is your organization. Your team produces threat intelligence for the organization, whether that’s sending indicators to a SIEM, or providing reports to senior management or the board. And you get feedback from those customers, but most organizations aren’t large enough to do all of the collecting themselves, so they rely on third-party organizations.

They have other vendors coming in to deliver threat intelligence, and if your team is to be as effective as possible, that team needs to be able to provide feedback to those organizations as well, so that sort of makes it a two-way feedback loop. You get feedback from your customers, but you, as a customer, also provide feedback to your vendor to make sure that they’re providing the type of tailored threat intelligence that you need to be successful.

Dave Bittner:

One of the things that the report points out is that the content that comes from threat intelligence providers comes in two basic flavors, as they put it. It’s that which is geared at machines processing it, which they call machine-readable, and the analysis that’s geared more at people. Can you sort of contrast those two?

Allan Liska:

Absolutely. I see more of a blending of that as we move forward as an industry. Machine processing, let’s say, five years ago … My SIEM could take in a list of IPs, a list of domains, and I could correlate that against my logs. That’s useful, but that’s also really prone to false positives. And when you get a false positive, you don’t know why it’s a potential false positive, so that leads you to not trust a source.

What we’re seeing is, machine learning is evolved. It can ingest better structured data so that context can be provided. That context can be provided as part of the machine-learning format, so if you get an IP address, you ingest that into your SIEM, you ingest that into your TIP, you can now not only have that indicator, but have the contextual information around that indicator to say, “Oh. Well, this is the source where that originated from. Yeah, we don’t trust that source.” So I can deprecate that, on my side.

Even though my threat intelligence provider thinks that this is a high-risk IP address, I actually don’t think it’s a high-risk IP address, so having that additional context allows you to take your own mitigation steps, which I think is really powerful. But then, there’s still the human side. Sometimes when you talk about the human side, you want, almost, a second or third opinion on a particular topic. So, we’re seeing a rise in this type of activity. For example, we’re seeing more cryptominers in our environment. Is that just us, or is that something that’s happening industry wide, or generally?

That’s where you can go back and say — to your partners and your threat intelligence partners — say, “Can you tell me more about this particular threat?” And they can provide that information to you, so that is still not information that’s easily ingested into a machine, but it’s information that enhances the knowledge of your threat intelligence organization, your internal team, so that you can provide more and better information to your customers.

Dave Bittner:

One of the things that the report looks at is the direction that the market seems to be taking. Threat intelligence, at the outset, was something that governments and financial services organizations were primarily interested in. Those were the big customers when this line began, but more and more organizations are finding it useful.

Allan Liska:

Yeah, absolutely. It used to be, your two customers were financial institutions and government agencies, but now, everybody recognizes the value of threat intelligence, so not only are you expanding threat intelligence to different markets, but you’re also expanding your customers for threat intelligence inside of organizations. It used to be that you had to have a team of threat intelligence analysts, but now, security teams want it, vulnerability teams want it.

We even see a lot of perimeter security or physical security teams that are interested in threat intelligence. Incident response teams want threat intelligence. So, not only are the verticals growing, but inside of organizations, there is more demand for threat intelligence from a wide variety of different teams inside the organization.

Dave Bittner:

What about open standards? This report says that open standards are now viable, and that it’s something that, perhaps, you should be looking for from your providers.

Allan Liska:

I’m a big proponent of open standards. I’m going to hold off on my judgment as to “viable.”

Dave Bittner:

Really?

Allan Liska:

Open standards are important, and I think we have a good base, especially with things like STIX/TAXII, CybOX, etc. I think we have a good base for delivering threat intelligence using these open standards, and we should be delivering threat intelligence using these open standards. They’re still not implemented in the way that they should be, so that they’re completely standardized across all platforms. You and I have talked about this before. I’m really old, and I remember back in the day when TCP — another open standard — when we had to make changes on our SUN workstations in order to get them to successfully talk to a Cisco switch, because even though they were both speaking TCP, they weren’t really speaking the same TCP.

We’re kind of at that point with threat intelligence where STIX/TAXII should be identical across all platforms, but I’ve seen time and time again where different vendors’ implementations of STIX/TAXII means that it’s not quite as seamless as it should be, for a variety of reasons. So, there’s a lot of work that still needs to be done there. That doesn’t mean we should abandon it. It means we should continue to work on it, and you should absolutely continue to pressure your vendors to make sure that they’re delivering truly compliant open standards. Again, whether that’s CybOX, whether that STIX/TAXII, Yara, etc., they need to be truly compliant with that.

Dave Bittner:

The report also pointed out that end users are creating sharing capabilities for threat intelligence, and that they basically fall into three categories: the public, organizational and industry led, and private, invitation-only sharing systems.

Allan Liska:

That’s always been the case, informally, where … and I’ve seen this time and time again. A guy at Bank of America has a buddy over at Citi, and he finds something interesting, so he shares it with his buddy — those types of informal exchanges have always happened. You have to remember, this is a relatively small industry, so there are a lot of people that know each other, whether it’s from conferences, whether it’s working together in the past, whether it’s from their military background — so there is a lot of intercommunication. There are a ton of private mailing lists, Slack channels, other things where security people have shared information.

Most security people want to share information. They want to keep as many people protected as possible. What we’re seeing more of is formalized sharing, especially with things like the TLP — the Traffic Light Protocol — where threat intelligence comes out and you can mark it red, orange, yellow, green. It makes it easier to know what you can share and not share so that you’re not getting anybody in trouble for sharing anything that’s too private. I like that we’re formalizing the sharing process and creating these more formal groups, like the ISACS, that make it easier and more effective for people to share information in a timely fashion.

Dave Bittner:

One of the things the report points out is how threat intelligence is integrating with what they describe as adjacent capabilities. Basically, it strikes me that this has a lot to do with that boardroom level bit of interaction where the CISO needs to justify resources, or even just explaining things to company executives, that threat intelligence provides them with some of the tools, or, for lack of a better word, the ammo that they need to answer some of those high-level questions that they get.

Allan Liska:

Oh, yeah. Absolutely. I’ll give you a prime example of this. I was working with a customer that was involved in the acquisition of another company. There were a lot of concerns around HIPAA issues, and so on, so we were doing an audit for them. We found a piece of malware that was sitting on a server that contained PHI — Personal Healthcare Information. That could have been really bad, and it could have torpedoed the entire merger process, because they may have been opening themselves up to a really large lawsuit had they continued with the acquisition.

Well, it turns out the malware that we found was used to send spam, and the group that it was associated with wasn’t known to do anything other than that. So, this piece of malware, we could assess with a high-level of confidence, was only used as a spam relay. Now, it’s not good that they were allowing spam relay malware to enter their network, but that’s a lot better than, “You’ve been leaking PHI data for the last six months.”

Dave Bittner:

Right, it’s not necessarily a deal killer.

Allan Liska:

Right, exactly. That has a real impact, and that report went along to their senior management, as they were trying to decide whether to continue along with the merger. So, that’s sort of an extreme example of it, but we see this more and more, where threat intelligence is bought into that decision-making process. Another example we see quite often is with vulnerability teams. A vulnerability team will identify a particular threat, but they don’t have any control over the patching, so they’ll reach out to the teams that need to do the patching, and if they can include threat intelligence information about why they prioritized it the way they did, things tend to get patched a lot more effectively.

For example, there’s a new Flash exploit. You send that out. “Hey, we need to patch Flash,” and your desktop team comes back and says, “Yeah, yeah, yeah. There’s a new Flash exploit every week.” But if they can go back and say, “There’s a new Flash exploit, and we’ve seen it loaded into these three exploit kits in the underground,” then people take notice, like, “Okay, yes. That is a high-priority patch that needs to be applied immediately.”

Dave Bittner:

The Gartner report makes some recommendations as they go through some of the threat intelligence use cases, and one of them that struck me was, they were saying that some organizations start by getting a service first, and then, they try to get that investment to fit the use cases later. They recommended, instead, to come at it from the other direction — decide what you want from your threat intelligence in the first place, what is the end that you have in mind. And they highlighted some issues here, whether your approach to threat intelligence was tactical, strategic, technical, or business. I was wondering what your insights were into those ideas.

Allan Liska:

I completely agree with that. It’s a mistake that a lot of customers make, because they hear they need to have threat intelligence. They may even … Your security team may even hear from the board, “We need to bring in threat intelligence.” But they don’t know what they want to do with threat intelligence yet. So, if your job is buy threat intelligence, but then you don’t know what you’re going to do with the threat intelligence, that doesn’t really help anybody. Having threat intelligence incorporated into your security plan and into your business plan is much more effective, because then, that helps you develop requirements that you need in order to find the best partner, or partners, for you.

So, are you going to integrate it into your security platforms? Is there going to be a team of analysts who are going to look at the data that’s coming in? Who needs the information that you’re presenting, or that you’re receiving, from your threat intelligence provider? Is it only the security team? Is it the security team and the board? Is it the security team and other teams within the organization? You have to understand your processes and your needs before you can find the right partner, because without that, you may wind up with somebody simply based on price, or because they have a really pretty logo, or whatever your decision-making process is — they golf with the CEO, rather than the solution that’s going to best fit your needs.

Dave Bittner:

To that point, is it fair to say, at this point in the industry, that different providers of threat intelligence have different specialties? That they’re better suited to certain organizations than others?

Allan Liska:

Absolutely. There are vendors that have very specific focuses. There are vendors that specialize in ICS — industrial control systems. If that’s your major concern, then those are vendors you should be talking to. There are vendors that specialize in providing reporting. If you’re going to be largely an analyst organization, and not interested in the technical integration, then you may want the reporting. You may want that second set of eyes who can work with your smaller analyst team to get you the reports you need, find out the information you need, etc.

Then, there are vendors that specialize in the technical indicators, and feeding those into the platforms that you care about in your organization. Or vendors that specialize in that plus orchestration, so that you can automate a lot of the level-one tasking of your SOC analysts, so that those SOC analysts can be freed up to do other types of work. Again, knowing your needs helps you better identify a vendor, and there are vendors that specialize in a lot of different areas.

Dave Bittner:

Yeah. They pointed out the importance of vulnerability prioritization, as they put it. For example, if you are an industrial control system organization, it might not make sense for you to invest in information about banking Trojans.

Allan Liska:

There’s always going to be some crossover, so even the most hyper-focused groups of bad guys don’t focus entirely on one industry. I hesitate to recommend specializing too much in your threat intelligence provider, but you are correct. There are certain things where, if you have a need, there are just companies that provide that service better than everybody else. If you have a limited budget, which most security organizations do, and that is what you most need to protect … So, for example, if you’re a water plant, if you are a power plant, that’s where I need that industrial control system. I don’t need to know about every rack that’s out there, and I don’t need to know about every banking Trojan or POS malware.

That stuff is interesting, but it’s not going to help me do my job better. More broadly, it would be nice to have that ICS information, and then also, “Here are the bad IPs and domains,” and things like that that are out there, because you still have to worry about those other kinds of attacks, as well. You may not be infected with POS malware, but that doesn’t mean that that same exploit kit isn’t going to hit somebody within your organization.

Dave Bittner:

Yeah, this Gartner report makes some recommendations for … They call it three things to do well to get value from threat intelligence, and they break it down into these three categories. They say acquire, aggregate, and action — the three As. Can you take us through your take on those three categories?

Allan Liska:

Sure. As far as the “acquire” goes, where are you getting the data from, or where is your provider getting the data from? Is it open source? Is it closed source? Is it community-type threat intelligence, potentially industry-delivered threat intelligence, or is it a combination of those? So, you want a provider that is providing you as much information as you can get, and that complements other sources that you may have. Every organization has access to some level of sources, whether that’s an industry group, whether that’s open-source stuff. You have some level of access.

What you want is a threat intelligence provider that can provide you with the other types of services that you don’t have easy access to, and that you can build upon. Then, as far as aggregating goes, you want to bring your threat intelligence into a platform that makes sense for your organization. Nobody wants to have five more browser windows open, or tabs open on their browser. What you want is, you want your threat intelligence where your team works most often. So, for a lot of people, that’s a SIEM. For more and more companies, it’s a threat intelligence platform — a TIP — but there are other sources. Maybe an analyst notebook, maybe a ticketing system. So, wherever your team spends their time, that’s where you want your threat intelligence.

Ideally, you want all of your threat intelligence in one place, because that allows you to then move it to where it needs to be in your organization from that one primary platform. Then, you want the threat intelligence to be actionable. You want it to either predict events, or you want it to be able to detect and help you respond to events. And whenever possible, prevent an event from happening in the first place. If you can keep a bad thing out of your network because of threat intelligence, that’s the best solution of all.

Dave Bittner:

I found an interesting point they made on the “acquire” side. It was that, you want to check that if you’re getting threat intelligence from multiple vendors, you’re not necessarily spending money if both of those vendors are getting their stuff from the same place.

Allan Liska:

There are only so many IPs, domains, and file hashes on the internet, and while the contextual data is interesting, most of the customers that I work with are still heavily reliant on indicator types. So, if you’re seeing a lot of overlap from your providers on those indicator types, it may be time to look at them and say, “Well, am I really getting value by having both vendors? What’s in the venn diagram of threat intelligence? Who’s providing me with unique indicator types, and how valuable are the unique indicator types that they are providing to me, to my organization?” So, if they’re providing just thousands and thousands of unique indicators, but none of those indicators are actionable within your organization, maybe that’s not a good fit for your team.

Dave Bittner:

What do you consider to be the first step? If I’m someone looking to add threat intelligence to my security posture, what’s the first thing I need to do?

Allan Liska:

The first thing you need to do is know what your capabilities inside your organization are. I always tell people, “Know what you have first, and know what threat intelligence you may already have.” So, many security vendors today offer some level of threat intelligence. Make sure you don’t already have access to some of that, and that’ll kind of give you a start. Then, once you know what you have, know what you need. So, that’s understanding your process, understanding the process of the teams that you work with — whether that is the security team, the vulnerability team, the senior management — understand what they need, because that allows you to ask the right questions of a potential threat intelligence partner.

If you know that what you need is more vulnerability information, make sure that they have that, and make sure they have it in a way that you can consume it in your organization. If what your problem is, is that you’re just overloaded with alerts in your SIEM, make sure that not only does your threat intelligence provider give you indicators that you can correlate in your SIEM, but make sure they provide you the context and the customization that allows you to say, “Okay, these are the indicators that we care about. We know these are low false positives, so that’ll help us prioritize how we respond to incidents.” That kind of thing. If your board is really concerned about geopolitical activity, make sure your threat intelligence provider can share that type of information with you. So, when you know what your needs are, you can better pick a good match for a vendor.

Dave Bittner:

Our thanks to Allan Liska for once again joining us. You can download the Gartner “Market Guide for Security Threat Intelligence Products and Services” at go.recordedfuture.com/gartner-market–guide. We’ve got a link in the show notes as well.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.