CIOReview
CIOREVIEW >> DDOS >>

The Great Threat Intelligence Debate

Dan Holden, Director-Security Research, Arbor Networks
Dan Holden, Director-Security Research, Arbor Networks

Dan Holden, Director-Security Research, Arbor Networks

Input “threat intelligence” into your Google News search engine and over 1.3 million results pop up. It’s become the latest in popular buzzwords in the Internet security industry. But, besides the obvious reasons, why is the industry so hot to trot on the notion of threat intelligence/sharing at the moment?

Before I address the ‘why’ question, I should take a step back to address the ‘what’ question: what is good cyber threat intelligence, anyway?

Advanced technologies may be able to detect the vast amount, size and scope of cyber threats out there, issuing alerts when a system is compromised, but without context or relevant information about the attack, security analysts may inadvertently dismiss serious attacks as unimportant noise. Actionable, defensible security intelligence is required to quickly identify threats that are targeting—and have already compromised—your environment.

The right security intelligence fuels the creation of mechanisms to recognize and block network-based attacks— some of the time. However, effective security intelligence not only identifies attacks, methods, and other indicators, but also understands and catalogs the attack infrastructure, so that broader, more proactive measures can be taken with confidence.

The main goal for threat intelligence and threat sharing is to get at that much-needed greater context into the events happening on your network or your ‘piece’ of the Internet and how it interacts with the rest of the Internet. It can also make up for the lack of greater context into simple events logged in legacy technologies (firewalls, IDS, anti-virus.) Getting at the why, where, and how of a security event versus just knowing that the event or the indicator of compromise exists.

The problem with threat intelligence is that it’s become a bit of a big data headache. For effective threat intelligence, you need a giant store of the known ‘bad’— something that changes a million times a day—and the majority of the known bad, you might never interact with at all. It may never apply to your particular slice of the Internet. The efficiencies and costs associated with storing that amount of data isn’t very appealing to most, despite the upside to having your hands on what could be some really great insight into the threats your network is or could be exposed to. This is why many vendors are partnering up to create these shared threat intelligence groups—taking the big data burden off of one and spreading it among many, but in a trusted, smaller-scale, but still effective, environment.

Given the influx of threats coming at you from every possible angle, entry-point and vector, what is really needed to stay ahead of attackers? Context. That context can help you gauge risk, prioritize your security responder’s time, and move on to the next threat (among many) at hand. In other words, don’t focus on threat intelligence merely for its sake—or because it's the latest hot buzzword in the industry. Threat intelligence data not only needs to be actionable and proven, it also needs to be easily accessible for incident responders to be efficient and effective.

The goal of threat intelligence shouldn’t be corroborating bad data with more questionable data (because threat intelligence isn’t always proven), but it should be about searching out the best data that fits the risk profile of your particular organization, industry, and risk. At the end of the day, threat intelligence is about tracking the threat actors; naturally everyone will have a different slant or specialty on this. Ultimately, threat intelligence should make a marked improvement over existing staff and processes. If you have a giant library and no time to read anything in that library, then all you have is a bunch of books. No action, no intelligence.

Read Also

The New Bridges and Barriers to an Integrated World view

The New Bridges and Barriers to an Integrated World view

Brandon Beals, Director of Data & Analytics, Dot Foods
Data Literacy –What is it and Why Should Your Company Care?

Data Literacy –What is it and Why Should Your Company Care?

Lisa M. Mayo, Director of Data Management, Ballard Spahr LLP
Importance of Customer Relationship Management Implementation

Importance of Customer Relationship Management Implementation

Drew Fredrick, Vice President, Home Building Technology, Clayton Homes
Creating Momentum Along Your Customer Relationship Management Journey

Creating Momentum Along Your Customer Relationship Management Journey

Anissa Benich, Sr. Director, Enterprise Strategy and Marketing, OneAmerica
CRM and Customer Experience

CRM and Customer Experience

Ashok Dhiman, Director, Enterprise Customer Experience and Data Integration, The Hartford [NYSE: HIG]
Go Big Data or Go Home – Data Analytics-Enabled Compliance Programs

Go Big Data or Go Home – Data Analytics-Enabled Compliance Programs

Kevin Gleason, Senior Vice President, Voya Investment Management and Chief Compliance Officer, The Voya Funds & Matthew Gleason, an undergraduate computer science major, The University of Arizona