5 Doubts You Should Clarify About Threat Intelligence
December 21, 2016 • RFSID
Threat intelligence can be one of the most valuable tools in your information security toolbox, especially when it comes to providing visibility into potential attackers’ strategies and tactics.
That includes understanding local exploits and vulnerabilities, network traffic patterns, the latest malware, and the latest delivery mechanism.
The benefit of consuming this data? You can spot malicious activity on your network that matches attackers’ profiles, and be able to respond more quickly, and more effectively.
This data is indeed useful; SANS argues: “With sound threat intelligence data, security teams can more readily look for indicators and patterns of malicious activity, and thus respond more rapidly. Over time, this will naturally lead to fewer incidents or more consistent approaches to incident detection and analysis in enterprise environments.”
But when is too much data too much data?
When it comes to threat intelligence, some feel overwhelmed. Don’t be.
The goal for any cyber security program should be to reduce the risk that could impact business profitability. To make the most informed decisions possible, organizations should gather and use as much threat and risk data as possible.
The good news is that there’s a lot of cyber threat intelligence available.
The bad news is that there can be doubts about threat intelligence, covering not only the sheer volume of information available from intelligence sources, but also that information’s applicability to their own risk management and cyber security programs.
We’ve identified and addressed five of the biggest doubts organizations might have about subscribing to — and embracing — top-quality threat intelligence resources. Let’s take a look.
Threat Intelligence Doubts
1. Only huge enterprises need threat intelligence services; our smaller company can’t build a business case for it.
“Threat data is already widely available via no-fee public sources — why would I pay for a commercial threat intelligence service?”
“We don’t have the team, processes, and tools to get the most out of our threat intelligence, so I can’t justify buying what we’ve bought.”
Organizations of every size can benefit from threat intelligence, but there are some minimal resources that should be expended to be effective.
In a study, SANS suggests that the expectation is someone on the team will be dedicated to maintaining and ensuring the proper use of threat intelligence information, including feeds, services, and platforms. Of course, in many organizations, the heavy lifting will be done by managed security service providers (MSSPs), or by packaged threat intelligence offered by some advanced vendors.
In other words: A lack of dedicated resources to leverage that information is not an impediment to gaining value from threat information.
2. The threat intelligence data sources are too narrowly focused, and are only useful for security departments.
“The threat intelligence vendor has limited insight because their information sources are too limited.”
There are multiple types of threat intelligence sources, and while some are very focused on servicing information security professionals, others provide much broader, and more useful, guidance that can be used across the whole IT organization.
For example, the department that manages email needs to be informed about the latest in ransomware and spearphishing. Network administrators need to know about real threats to the enterprise infrastructure.
Ultimately, threat intelligence should be tied into business goals to be effective.
At Recorded Future, we consistently advise our customers that “true threat intelligence is about improving business decisions, so build your framework around that objective. Doing so will make it challenging for stakeholders to question which threat intelligence tools you’re investing in.”
3. The lack of standards for receiving and consuming threat intelligence feeds make it difficult to plug this information into our existing processes and tools.
“It’s difficult to get a complete picture across threat intelligence providers.”
“Context is sometimes missing from threat intelligence feeds. The clues are there but humans have to do the heavy lifting, and we don’t have the resources.”
There are definitely challenges for vendor standards for threat intelligence services, sources, and platforms. Organizations contributing their incident data to many such services fail to provide all the necessary information needed for other IT professionals to understand and act on the reported threat.
That said, this is a problem that seems to be going away, as many intelligence providers have done significant work in making threat intelligence machine-readable and risk-scored — thereby giving users confidence in the data, and enabling more efficient use of that data.
On top of that, some threat intelligence vendors can plug their data into your current processes so you get more value from your existing security investments.
4. We’ve heard of, or experienced problems with, automating the ingestion and correlation of the data across multiple threat intelligence sources.
“Isn’t this just going to create a lot more work for me? Now I have all these threat intelligence alerts to review! I don’t have time for that!”
“We can’t afford to hire more people to process, review, and act on this threat intelligence data.”
We won’t pretend that utilization of threat intelligence data will be effortless.
It’ll take time, and people, to use and manage the various information sources, and then distribute the information across the organization. (This might be done with staff, or as mentioned above, done on your behalf by MSSPs).
The real question is: Is it worth the investment?
We believe so, and so do many information security professionals.
In a recent study of information security professionals, 69% of respondents report implementing threat intelligence to some extent. The commitment to working with this intelligence is clear, with 64% reporting they have a dedicated team, person, or services organization assigned to implement and monitor threat intelligence.
5. We’re concerned about problems taking action based on threat intelligence data because there’s too much of it, and it’s often too complex.
“There are real workflow and integration problems — automation of threat intelligence is difficult.”
“The threat intelligence data is interesting, but it’s not actionable.”
Threat intelligence information is actionable — if you choose to use it in an effective way. For example, use threat intelligence to help drive investigations and responses — including analyzing log data to see things that might have been missed in the past.
Turning Threat Intelligence Data Into Information Security Action
Threat intelligence data offers the possibility to make your information security organization far more effective in handling vulnerabilities; preparing for an attack, during an attack, and after an attack. What you need is the capacity within your organization to consume this data, correlate it with your own security incidents, remove the noise, and connect the dots.
This will take time and resources — but organizations of all sizes can do this themselves, with a minimal investment, or using the services of a managed security provider if that fits better within the organization.
Threat intelligence is effective as part of a security posture, as a way of adding to your existing security measures. Consider it an additional (but essential) tool in your toolbox, not a replacement for any of your team’s existing tools, policies, and practices.
In the meantime, here are a couple resources to give you some more insight into what’s possible:
Ultimately, we believe that the use of threat intelligence is definitely worth the effort — by an order of magnitude, in fact.
For example, an independent lab test recently discovered that one security operations center (SOC) analyst, in a controlled environment, experienced a 10x gain in productivity after Recorded Future real-time threat intelligence was integrated with a SIEM.
So, is threat intelligence right for you?
Ask your cyber security team … ask your peers, ask your analysts.
You might get different answers, but expect to hear a similar theme that better decisions and actions are possible when they’re informed and data-driven.