March 21, 2018 • Chris Pace
As threat intelligence continues its rapid rise to the top of wish lists for security teams there remains considerable confusion about what you actually get when purchasing threat intelligence. There are a plethora of offerings from a variety of companies, including traditional endpoint and perimeter security players, security service providers, and a new breed of specialist threat intelligence vendors. But not all of these products are created equal and some are designed solely to answer very specific use cases.
In this post, we’ll broadly categorize some of these vendors based on the way they deliver or organize threat-related content. If you want to find out more about specific use cases for threat intelligence, including vendor capabilities, you can download a free copy of Gartner’s “Market Guide for Security Threat Intelligence Products and Services.”
So, let’s take a look at what you can get for your investment in threat intelligence and how it should be a central component in an effective information security strategy.
These services have their roots in the military tradition of human intelligence (HUMINT). Originally HUMINT was intelligence gathered by humans from humans, but now this process has evolved into humans collecting and analyzing data from human and machine sources to surface information on emerging and ongoing threats — in this case, cyber threats. For example, human analysts may work from an initial incident to build a picture of the techniques, tactics, and procedures (TTPs) that threat actors use to provide an intelligence report that could be useful to other organizations that could be affected.
These reports are usually rich in detail, full of indicators, and will be uploaded to an online and searchable database for users to access. The drawback with this type of intelligence is that traditionally, reports need to be researched using data manually gathered from a range of disparate sources (open web, deep web, and dark web), which means they can take significant time to produce. Time is one of the things at a premium to organizations looking to prevent themselves being the victim of a breach. Leading service providers will make use of advanced analytics and machine-learning techniques to increase the efficiency of analysts so that reports can be produced faster without losing vital context.
Threat data feeds are seen by many organizations as a starting point for a threat intelligence program as there are a number of open source feeds you can subscribe to. Data feeds provide potential threat indicators like IP addresses, domains, and file hashes.
The challenge is that, although this data arrives quickly (checking a box for real time), there’s no context to these indicators. This data on its own cannot answer vital questions: Are indicators connected to attacks on particular industries or technologies? What part do they play in a malicious infrastructure? Are they related to a specific type of malware? The only way to get this kind of vital context and actually generate relevant intelligence is to look for connections in the data, which in most cases is a very time-consuming and manual process. Vendors who can bring together feeds into a single solution and add context to data from feeds automatically will enable you to get the maximum value from this kind of threat content.
Threat intelligence platforms help to organize many feeds of threat data (up to thousands, in fact) into single containers. The platforms let you configure alerts on the data from feeds and makes it more consumable by removing duplicate entries and enabling you to prioritize the sources of data. The most tangible advantage a platform has over using threat feeds alone is that it allows you bring in any source of threat data you have access to in a central view, and allows you to integrate this with other security products like SIEMs or incident response platforms.
However, you do still have to configure all those feeds in the first place, and there may not be any real analysis of that data before it reaches a person.
Ultimately, a threat intelligence platform will only ever be as good as the data you put into it. Without real context around indicators, security teams will struggle to investigate every single alert, quickly realize it isn’t possible, and risk not responding to alerts altogether.
A complete threat intelligence solution draws together the capabilities of providers, feeds, and platforms, with all of these pieces allowing you to get the most from available intelligence. Crucially, a threat intelligence solution should collect data from a wide breadth of sources, including threat data feeds, to deliver a real-time view.
You would also expect automation and machine-learning capabilities that automatically connect the dots and add context across all of these sources to give you contextualized threat content. This kind of technology also means a solution can provide a human analyst resource, resulting in finished intelligence faster.
A complete solution like this will have the capability to centralize any source of threat data you have access to and let you customize that intelligence for integration with other parts of your security infrastructure.
The significant advantages of this approach are obvious — you can make use of technology that balances fast access to data with the context that makes for true threat intelligence, and you can stick with a single vendor who can meet your threat intelligence needs as they grow.
To get more information on how a comprehensive threat intelligence solution works, download your complimentary copy of “The Buyer’s Guide to Cyber Threat Intelligence,” which includes a RFP template to evaluate the capabilities of different vendors.