E-Handbook: How to get actionable threat intelligence from tech tools Article 2 of 4

Olivier Le Moal - stock.adobe.co


How can security benefit from cyberthreat intelligence?

Cyberthreat intelligence is essential to understand common external-facing risks. Learn how to find the right threat intelligence feed and how the data can benefit cybersecurity.

Threat intelligence is essential to help organizations understand their most common and severe external risks. By tapping into cyberthreat intelligence sources and feeds, security leaders are provided in-depth information about specific risks essential to help an organization protect itself.

This intelligence information is also a critical part of unified threat management (UTM) systems and security information and event management (SIEM) platforms. A UTM, SIEM or similar security tool can be configured to collect third-party threat intelligence information for emerging spam, phishing, malware and other zero-day threat vulnerabilities. This information can then be used to automate controls that block those threats throughout the corporate network.

The exponential number of threats facing organizations today, combined with a growing need for rapid threat response times, has made cyberthreat intelligence increasingly important to enterprises' overall security posture.

What are common sources of cyberthreat intelligence?

In a cyberthreat intelligence feed, threat data is collected from several sources depending on the type of feed administrators choose. For example, commercial threat intelligence feeds will often collect anonymized customer metadata to analyze and identify various threats and risk trends on corporate networks.

Other threat feeds rely on information from open source intelligence websites, social media and even human-produced intelligence. Lastly, cyberthreat intelligence can be sourced from specific public and private verticals that provide unique threat intelligence based on the type of business the organization is involved in.

Keep in mind that not all threat management source material will be relevant. Adding too many sources can simply add noise and duplicate data. This can severely influence the accuracy and speed of the cyberthreat intelligence tools. Additionally, it's critical to add your own local cyber intelligence sources and not simply rely on third-party information. This includes the collection and analysis of local logs, security events and alerts procured by tools deployed across the corporate infrastructure. The combination of both local and third-party threat intelligence sources is the best way to identify and automatically block threats in modern networks.

How do I choose the right third-party threat intelligence feeds?

Businesses are growing increasingly reliant on third-party cybersecurity threat intelligence feeds. These real-time streams of cybersecurity information allow businesses to quickly identify and automatically block emerging threats. These threats include DDoS, malware, botnets and spam. However, security administrators looking to add cyberthreat intelligence into their overall security architecture will quickly discover that the number and types of threat intelligence feeds can vary widely.

Most organizations will likely purchase a cyberthreat intelligence feed from the same vendor their commercial network security device hardware/software came from. In many cases, this commercial feed provides enough external threat intelligence information to protect an organization. Examples of commercial feeds include feeds from FireEye, IBM, Palo Alto and Sophos. Remember that most vendors share threat information with others, however, so commercial options are largely providing similar intel.

Another option is to use an open source, or free, feed from several available options accessible on the public internet. While these are great options, much of the information found here will be duplicate if you also have a commercial cyberthreat feed.

Many governments also offer their own cyberthreat feeds. These are good options for organizations both public and private. However, like the open source options, be cognizant of unnecessary information overlap if you've also subscribed to a commercial offering. Depending on your business vertical, there may be threat intelligence feeds that cater to your specific industry. These feeds are commonly used by businesses and governments that manage critical infrastructure.

Threat intelligence feeds work as follows: The third party will gather raw data about emerging threats from public and private sources. The raw data is then analyzed by the third party, where it is also filtered by importance, relevancy and to eliminate duplication. The filtered data is then pushed out to feed subscribers in one of several formats. Typically, the formats are standards-based such as OpenIOC, STIX/TAXII or CyBox. Some feeds may also be proprietary in nature, so be sure that the threat intelligence platform you're looking to import third-party intelligence into is compatible with the feed format.

Why is unified threat management becoming so popular?

Enterprise organizations are increasingly interested in deploying UTM platforms within their private and public cloud infrastructures. A 2019 Grand View Research study shows an expected compound annual growth of nearly 15% through 2025 in the UTM segment.

There are several reasons for this increase. It's no secret that the threat of data theft and data loss within all enterprise market verticals is on the rise. Not only are the number of attacks increasing, they're also more sophisticated and coming from more sources. For example, blended attacks, which incorporate a combination of multiple vulnerabilities, are being used to thwart legacy, compartmentalized security tools that can have gaps that can be exploited.

A second reason why threat vulnerability management platforms are gaining popularity is because security administrators have lost end-to-end visibility when working within hybrid cloud enterprise infrastructures. While traditional tools can often be deployed in public IaaS clouds, they're often cumbersome to deploy and in many cases cannot centralize management and visibility in decentralized networks. This is a major problem, as the more decentralized IT services, data and resources become, the more likely a cyberattack is likely to occur.

Threat management platforms that are unified in nature can help to eliminate security tool gaps while also providing more visibility for modern hybrid cloud infrastructures. For one, it combines multiple security tools under a single management and monitoring umbrella. This includes layer 7 firewall capabilities, intrusion detection/prevention, network anti-virus, content filtering and data loss prevention features, among others. Many UTM platforms can also integrate with security tools to help manage and share important vulnerability detection information between tools.

Additionally, UTM systems can pull in external cyberthreat intelligence sources from a number of government, open source and commercial threat feeds. This information can be used to preemptively identify and block emerging threats prior to any attack occurring.

Lastly, because UTM platforms are centralized, it becomes much easier to expand threat detection services into public clouds, private clouds and across the corporate LAN and WAN. This is important for saving money on deployments and simplifying management of an end-to-end security solution. Thus, for organizations that have limited in-house security resources, UTM platforms are proving to be more cost and resource efficient compared to other security deployment options.

Dig Deeper on Security analytics and automation

Enterprise Desktop
Cloud Computing