Sapsiwai - Fotolia
What global threat intelligence can and can't do for security programs
Global threat intelligence is a valuable complement to a company's security program, but it can't replace security measures like training and internally collected data.
Along with machine learning and data mining, many security teams see threat intelligence as a key technology necessary to give them a strategic advantage during and following the detection of a cyberattack. Threat intelligence can be sourced from internal data, but many security operations centers are also ingesting global threat intelligence gathered from open source intelligence and feeds from SIEM, or security information and event management, and threat intel vendors in the hope of gaining a more comprehensive understanding of current and potential external and internal threats. This knowledge is then used to update defensive strategies and tools to better protect the organization's critical infrastructure and intellectual property from attack.
Where global threat intelligence helps
A recent SANS Institute report, "The SANS State of Cyber Threat Intelligence Survey: CTI Important and Maturing," found that only 6% of respondents said they do not use threat intelligence (TI), and the majority that do use it felt that it had improved their security and response capabilities. Report findings included the following:
- 71% saw improved visibility into threats;
- 58% found TI helps provide faster and more accurate response;
- 54% said TI helps detect unknown threats that they were previously unaware of;
- 48% said TI helps reduce exposure of sensitive data;
- 39% found TI measurably reduced the impact of incidents through more intelligent blocking; and
- 48% reduced the number of incidents through early prevention related to use of TI.
These figures certainly seem to support investment in global threat intelligence feeds. However, the report also goes on to say that very few organizations can either research or effectively use more than 100 threat indicators every week. This suggests many organizations are paying for threat intelligence data that they can't effectively interpret or use, as they don't have the necessary infrastructure or staff. It requires a large, and skilled, team to analyze and act on so many alerts; just pushing new threat classes, categories and actions out to firewalls, intrusion detection and prevention systems, and endpoint security tools is time-consuming enough.
There is a danger too that security teams will become distracted by a flood of additional data and more basic security tasks get neglected. According to the 2016 Data Breach Investigations Report from Verizon, the same four categories of attack continue to cover 90% of incidents: miscellaneous error, crimeware, insider misuse and lost or stolen devices -- all of which map to human error or misuse. A concerted effort to reduce basic errors -- such as not following procedure, careless use of mobile devices and opening attachments bearing malware -- is still the surest way to have an immediate impact on improving overall data security. Beefing up remediation efforts that target vulnerabilities that attackers are actively exploiting, along with those with known exploits or proof-of-concept code, will also greatly reduce the number of successful attacks; the top 10 vulnerabilities accounted for 85% of successful exploit traffic in 2016.
Spend money where it matters
Budgets and resources need to be focused where they are most effective. Spending on security awareness training should certainly not be cut to make way for a global threat intelligence program until the CISO is confident the program can more than pay for itself. For threat intel to be worthwhile, there must be a big investment not only in hardware to handle the increased data flows, but in people too. Invest in improving analytical skills, technical knowledge of regular network and system operations and business processes, and an effective management team knowledgeable of adversaries and cyberattack campaigns.
Until the security maturity of an organization is at a high level, it may be more expedient to make better use of internal sources of threat intelligence -- like network and endpoint security devices combined with open source tools and feeds -- to reduce the initial costs of bringing the infrastructure and people up to speed.
In cyberwarfare, information and knowledge matters. Network defenses can be improved by smarter information sharing and analysis, and organizations can benefit decidedly from using global threat intelligence, but it should certainly not detract from the more important task of doing security basics well. It’s still the well-known vulnerabilities and weaknesses that attackers exploit, even in more advanced and sophisticated attacks, so allocate time and budgets accordingly.