- Johna Till Johnson, Nemertes Research
Several years ago, my company, Nemertes, flagged threat detection and threat intelligence platforms as one of the bellwether technologies that correlate with highly successful cybersecurity organizations, as measured by mean total time to contain. But the success correlation is a bit lower than anticipated, given how obvious the benefit of using such tools should be.
It turns out there's a wide range of offerings when it comes to such products. Just because a vendor or service provider bills its offerings as "threat detection and intelligence" doesn't mean those offerings are delivering what cybersecurity professionals actually need. So the data got muddied by folks who said they were using "threat intelligence," but in fact were using little more than traditional list-based antimalware.
So what's a threat intelligence platform, anyway?
OK, what do we mean by threat detection and intelligence? And how can you be sure you're "doing it right" -- procuring the products and services that deliver actual value?
First, be aware that there are two components to the problem. One is knowing what's going on in your environment, and whether any of those goings-on represent a threat or attack. That's the easy piece, at least conceptually. It may be technically difficult to accomplish -- which is why there's job security for cybersecurity professionals, for the foreseeable future -- but fundamentally, it's contained by the boundaries of the environment.
The second component is harder, yet potentially more valuable: understanding what's going on in the universe at large and determining whether any of it poses a threat -- and, if so, on what timeframe. As the mathematicians would say, that's a boundaryless problem.
There are plenty of technical solutions to the first problem (knowing what's going on in your environment and determining whether it's a threat). These range from traditional antimalware to intrusion detection and prevention systems, behavioral threat analytics and other tools. And because this component is foundational, if you don't have these products in place, start here. If you don't have knowledge of and insight into today's threats to your environment, you aren't prepared to handle future ones.
The solutions to the second part of the problem are more art than science. Your provider needs to have the experience to know what areas of the threat universe to look at and, within those areas, which are most likely to apply to you or at least organizations like yours. The provider needs to have some sense of the timeframe in which these threats will emerge, the geographies at greatest risk and how the threats will evolve. And, of course, they've got to know what to do about those threats, both now and in the future.
If you're a bank, for instance, the provider should know what kinds of attacks are trending among financial services organizations and how they're evolving. And it should be able to advise you about the characteristics of firms that are successfully able to resist such attacks.
But to be really effective, you want these products to be anticipatory -- that is, give you early guidance on what might be about to come over the horizon and how likely it is to affect you. This, in turn, requires a much broader knowledge of the threat universe.
How to choose your threat detection and intel system
What does all this mean when it comes to selecting a threat detection and threat intelligence platform?
First off, the emphasis here should be on intelligence—particularly when it comes to obtaining outside insight. Your provider should be able to document access to a wide set of data sources above and beyond what's going on in your environment. That could be (appropriately anonymized and consolidated) information from other clients, from industry consortia or from other third parties -- many cybersecurity providers work collaboratively with each other. Ask your provider, "How do you find out about emerging threats?" And push them on the answers.
Second, you should pay attention to the provider's experience with companies like yours. Do they have a deep base of insight and expertise with companies in your industry, in your geography and of your size? If so, that can help you in developing threat-protection strategies.
Finally, let's talk about the technical aspects of the "intelligence" vendors provide. Does it come from AI? Machine learning? Human analysts? Or a combination of those? The most effective intelligence is AI-assisted human insight. AI can point you to the shape of emerging threats and raise awareness of threats you might not have considered. But it takes a human -- preferably, one well versed in your industry -- to talk about what your threat-mitigation strategies will likely mean from an operational perspective.
In sum, deploying effective threat detection and threat intelligence platforms is one of the smartest things you can do to protect your business. That means considering both components of the solution: instrumenting your environment for current protection and deploying intelligence services to provide early warning of future threats.
- Essential Guide to Security –Splunk