The Threat Intelligence Tightrope
By Chris Pace on July 19, 2017
As with every aspect of information security, our challenge is one of balance. For example, often you’ll need to balance control with usability when implementing technologies to prevent security from negatively impacting the effectiveness of your organization.
In the case of how to access and apply threat intelligence, your two key concerns will be time and context. Here’s why these factors matter:
Time — New vulnerabilities, exploits, and malware emerge each day. Your aim is to know about these new threats to proactively defend your organization.
Context — The threats described above are numerous and ever changing; just gathering more data without relevant context will only serve to make the job of security harder.
Greater Understanding, Faster Decisions
Time to discovery of a security incident was examined in some detail in the recently published 2017 Verizon Data Breach Report, which highlighted that rapid discovery of an attack will substantially reduce the risk of an eventual data breach.
In the report, they use the example of outbound traffic back to a command-and-control (C2) server. In this particular scenario, threat intelligence is used to provide evidence that the C2 infrastructure in question is malicious, which must be confirmed before action can be taken to block it.
If you currently have no access to threat intelligence, you’ll be entirely reliant on your security solutions to identify this threat and protect your organization. By contrast, if you rely on a list of threat data, you may be able to make a fast decision if the IP address or domain appears, but you’ll have no context. Under these circumstances, you can’t know if you’re looking at a false positive, or old, inaccurate data.
It’s at this point in the process that time becomes a factor. To find the context you need, it’s important to explore available sources to find relevant and timely references that confirm the infrastructure as malicious. And throughout this process, you’ll be grappling with multiple tools, numerous sources, and encountering varying terminology in different languages. Unsurprisingly, this process can prove highly time consuming, and the longer it takes the wider your window of risk grows.
“Alert fatigue” is also a factor here, as security operations staff are forced to deal with a constantly increasing mountain of alerts. A survey from the Cloud Security Alliance highlighted that 40 percent of analysts don’t have the intelligence necessary to investigate alerts, and more than a third regularly ignore alerts due to the number of false positives.
Getting the Balance Right: Tangible Benefits
Naturally, you want threat intelligence to add tangible and quantifiable value to your organization’s security. As a provider of threat intelligence, we strive to provide measurable benefits to our customers, who in turn have reported back some highly impressive results.
For example, one customer went on record to say that Recorded Future helped reduce the amount of malicious traffic entering their network by 63 percent.
Inspired by anecdotal feedback from our customers, we commissioned a lab test to be conducted by Codis Technologies, an information security consulting firm specializing in incident detection, incident recognition, and process automation. The test measured the quantifiable value (in terms of productivity and security) that a security operations center (SOC) analyst can gain from integrating Recorded Future with a SIEM solution.
The results were conclusive. In a controlled environment, one SOC analyst experienced a 10 times gain in productivity after Recorded Future’s real-time threat intelligence was integrated with a SIEM solution.
For a set of steps that will help get you started toward balancing the threat intelligence tightrope, read our white paper of best practices for applying threat intelligence.