According to Benjamin Franklin, nothing is certain in life except death and taxes. And in our advanced technology age, we can add a new inevitability: cyber-threats. Before you even take your first sip of coffee on a Monday morning, a new threat that could have a severe impact on your infrastructure and data may already be in your system. You just haven’t found it yet.
Monitoring threats around the clock: powering your Security Operation Center
So in a world where threats are everywhere, what are your options? Well, if business continuity and protection of data are a top priority for your enterprise, you’ve probably already invested in, or are planning to launch, a Security Operation Center (SOC). Your SOC will monitor threats around the clock, so you can trust your security team to monitor and act to keep the most significant risks at bay.
Rest easy. It’s time to enjoy that delicious, hot coffee.
Well, not quite.
If data is the new oil, today we live in the aftermath of an oil spill. And data overload is as much a problem to your InfoSec team as it is to your marketing or customer operations. With the continued growth of more interconnected devices and the internet of things, having data on the many threats hitting your perimeter is all well and good. But understanding which are false positives and which need immediate action to quash is like finding a poisoned needle in your data stack. To find and immunize against that one-in-a-million alerts, you need threat intelligence.
Why you need threat intelligence
Threat intelligence is the overlay that turns seeing threats into knowing when and how to act. Gartner defines threat intelligence as:
Evidence-based knowledge – including context, mechanisms, indicators implications and actionable advice – about an existing or emerging menace or hazard to assets that can be used to inform decisions about how to respond.
Rob McMillan
Gartner Analyst
I’m not arguing with that.
But no two battles against cyber-threats are quite the same. Using threat intelligence, you can join the dots between related attacks to pinpoint who your adversary is, then adjust your defense strategy to block them.
Data suggests a ‘threat pyramid’
Every day, we face more threats. These range from everyday commodity threats – easily detected, known malware – to advanced threats and targeted attacks using known TTPs (tactics, techniques and procedures,) and rare but deadly advanced persistent threats (APTs.)
The data paints a picture known as the ‘threat pyramid.’ Almost all threats we see are mundane, like common malware. A small number are advanced threats and targeted attacks, like the banking trojan malware Emotet, hitting small- and medium-sized businesses (SMBs) and enterprises hardest. A tiny number are APTs, affecting few organizations with devastating consequences. These are the most poisonous needles in the data stack.
You need a strategy, not a platform
Good threat intelligence is more than just buying a platform and hoping for the best. Like all effective cyber-prevention, it blends technology, strategy and effort. Good threat intelligence gives you the insight you can act on – from real-time alerts of a potential breach to helping paint a bigger picture that educates your senior stakeholders about the ongoing risks. This, in turn, indicates what software and investment you need to keep harm at bay.
At the basic level, threat intelligence provides alerts and blocking for indicators of compromise (IOCs). Contextual alerts and e-signature management help determine the validity and severity of attacks to form your incident response approach. Another use case is fusion analysis, used by Kaspersky CyberTrace – pulling together and evaluating disconnected data feeds to help identify which threats pose a danger.
And threat intelligence can inform your cybersecurity strategy too. By using intelligence relevant to your risk posture, security planning informs architecture decisions and helps you refine your security processes to better defend against known threats.
If you’re working with a managed service provider (MSP) to run your security operations, ask how they’ll install and run your threat intelligence service, and how much time and effort you’re getting. Its round-the-clock nature means it’s not the easiest service to outsource.
Threat intelligence’s big three
When planning and buying your solution, there are more advanced threat intelligence options like human-readable threat hunting reports and threat attribution, but to start, you’ll need three components:
IOC (indicator of compromise)
IOC is the basis of threat intelligence. It’s evidence we can measure and recognize like a fever is the outward sign of disease in the body. There are many IOC services. To choose the right one, you’ll need to know which threats you’re most likely to face.
Threat data feeds
These provide integrated intelligence by analyzing adversaries and the wider threat landscape. There are many on the market, both free and paid. To choose the best one for you, ask: do we need an APT data feed if we’re not a likely target for APT groups? Where is the best place in the IT infrastructure to add the feeds? Should we block threats or just alert the team? Your answers will depend on your organization’s security posture and IT strategy.
Threat intelligence platform
A threat intelligence platform lets you manage a range of specialist software that supports the different components. What you choose and how you integrate services comes down to your budget and business needs. Although there are open-source data feeds out there, you can buy more sector-specific intelligence. It’s essential to drill down when you purchase threat intelligence services to make sure the vendor provides a responsive service – both in the quality of data feeds and speed if they’re providing incidence response.
With careful planning, while choosing a vendor and a well-thought-out strategy, your SOC can benefit from the full protection and power of threat intelligence. The needles will still be in your data stack, but you’ll have the tools to find and break them.