In the spirit of The Washington Post’s regular column, “5 Myths,” here is “a challenge to everything you think you know” about Threat Intelligence.
You may already know that cyber threat intelligence from both internal and external sources can provide value when it is researched, analyzed and disseminated correctly. The benefits include:
- Changing an organization’s security model from reactive to proactive
- Shrinking the security alert problem that is overwhelming most security teams
- Driving better, more informed responses to security incidents
- Extending the life of aging security technologies and turbo charging new defenses by feeding them real-time intelligence updates to enable blocking of rapidly emerging threats
- Enhancing communications between the security team, management and board members
- Driving better investment strategies and more directly connecting security priorities with business risk management priorities
Marketing departments would have you believe, it’s easy. Just sign this Purchase Order and the magic happens. Here are 5 myths about Threat Intelligence.
- You can buy it
Actually you can only buy threat data feeds. Converting this “data” to intelligence requires many steps. You have to collect data from your network, match against the threat data feed, examine matches for validity, weed out false positives, investigate the remainder and apply remediation.
- More expensive is better
This one is obvious – only if it is relevant to your needs. For example, a high quality feed about threats that your organization does not face is not very useful. For example, is it meaningful to you to get great intel on the threat landscape local to Uzbekistan? Not unless you have network assets there. Most feeds cover specific activities, technologies, and industries. Just because they are high quality, it doesn’t follow they are useful to your organization.
Also ask the question if you can actually use what information is provided. For example, a feed that updates by the minute requires that you be able to act immediately on notification. However, if you can only act the following business day (lack of dedicated staff?), then why pay for the real time update?
You may have heard “the best things in life are free.” It can be true in the case of Threat Intel feeds.
- It’s a one-time cost
See the answer to #1 above. Feed data updates regularly. Applying it to your local environment is also a continuous process. The one-time cost is to buy a subscription to a data feed. Security, you may have heard, is a process, not a project.
An easy comparison is to vulnerability scan results. Users of such products will quickly recognize that one must carefully tune the tests that the scanner runs to avoid disrupting or crashing some products (one just can’t enable a test against all endpoints). Further, many results must be masked because they cannot be remediated for good reasons and a compensating control may have been applied. These are all ongoing costs.
- The benefits are automatic
Actually no. In order to get benefits from threat intelligence feeds, a series of steps must be completed as outlined above, mostly in the area of tuning the feeds to eliminate false positives. Most Intrusion Detection System (IDS) users will recognize this problem easily. Enable an IDS with all available data feeds and you will get bombarded with false positives, and likely get depressed that the process is not “automatic.” Obtaining value from such feeds requires attention and tuning.
- It’s easy to use
While threat intelligence may be easy to incorporate into any product, by itself it’s not inherently “easy to use.” That depends on the device that is using threat intelligence. For example, many Next Generation Firewalls (NGFW) offer subscriptions to threat intelligence. They update themselves and take the configured action (report or block undesirable traffic). However, it is still up to the administrator to review these alerts for correct behavior. Administrators of anti-spam devices or proxy servers will quickly recognize this. Those devices also incorporate threat intelligence but require review for proper functioning.
Threat intelligence is a crucial need for any organization, but it isn’t a one-size-fits-all proposition, nor is it a plug and play way to secure data. Businesses and their IT teams must understand that security is a process, one that is grown out of attention to need and should come complete with an administrator to oversee anomalies. Once organizations better understand this fact, we’ll be well on our way to data security.