Consider what happens with a professional sports team. Once the coaches know who the team is playing, they analyze how the team performed against that opponent in the past. The coaches analyze their own performance in the game footage and create playbooks. Only after all that is done do they watch footage of other teams playing the opponent to gain additional insights they can use to tweak the playbook. In the same manner, security teams can determine which security improvements to make by examining their own logs.
If the security team knows the enterprise has been attacked several times over the past few months, then it has to find and address the deficiencies, either by deploying new controls or adding defenses. By understanding what is actually happening, the team can prioritize what must be done to remedy the threats. The network defender can prioritize what to fix, what indicators need a follow-up, and what attacks to watch for. From a security perspective, the enterprise can either mitigate the risk or make the decision to accept the risk (and not do anything at all).
Intelligence isn’t derived from the traditional defenses alone, such as the firewall, Web application firewall, endpoint security software. Threat intelligence has to cross all areas, including vulnerability management, SIEM, and incident response.
Look at all the event logs from applications, network devices, and endpoints. Find ways to hook into cloud services and mobile. Scan the enterprise’s IP address blocks through specialized search engines such as SHODAN to see what systems may be exposed on the Internet. Even spreadsheets -- such as a list of all deployed endpoints containing the MAC addresses, IP addresses, and the username of the user owning the system -- should be included. More input leads to better decision making.
“The very best data about your environment is yours,” Vincent says.
4. Know what comes next
Don’t buy threat intelligence sight unseen. That’s easier said than done, since many providers provide only Web demos and pregenerated reports during the sales cycle. Try before you buy, regardless of whether you are buying the feeds alone or the software platform. Look for the providers who will offer a trial run, at minimum, of 60 days, so the security team can access all the intelligence feeds, analytics tools, and reports. Several experts agreed that 60 days was necessary to gauge whether the indicators in the feeds were relevant, tactical, and useful.
“Not all threat intelligence is created equal,” says Holland.
For the feed, consider the effort required to connect the intelligence feed to the centralized platform. See how the feeds can be consumed by internal systems and how the intelligence can be integrated with internal data sources.
The intelligence has to be useful and timely. One of the biggest problems with threat intelligence is the fact that if the indicators are stale and irrelevant, the intelligence derived from them is useless. The intelligence should complement what the organization already has in its own data sets and provide extra insights.
Remember that sports team analogy? The benefit of external threat intelligence lies in the additional insights it can provide. Don’t waste the money buying a product or a service that repeats what is already known.
“If the feed overlaps with what you already see from your firewall, then it has no value [to you],” Cunningham says.
For the threat intelligence platform, evaluate the analytics and the tools. Visualization tools are available to present threat intelligence in charts and graphs, much like business intelligence.
Find out whether intelligence can be translated into an actionable plan that can be pushed out to or used to create defense tools. This could be a firewall configuration file, Snort rules, scripts for IPS/IDS, or automatic data inputs for the SIEM. The instructions can be entered manually by the analysts and security operations teams or automatically sent to the corresponding security systems.
The value of the threat intelligence platform comes from the analysis and how the resulting insights are fed into automated and manual workflows designed to protect the organization. Enterprises need to work with providers that provide intelligence analysis and operations support to complement existing corporate security teams, or offer organizations lacking in-house analysts with support to make sense of what they have.
“Threat intelligence is a process, not an end result,” Vincent says. A successful intelligence program continually tunes, assesses, and modifies itself according to the changing threat landscape, shifting priorities, and adjustments to the risk profile. The IT and security teams revisit all the data sources -- externally and internally -- on a regular basis to ensure they remain relevant. Too many threat intelligence programs fail because no one is looking at how to mine the information and act on what’s found.
If the organization has evidence of attacks against an application, and the insights provided from the threat intelligence platform indicates the attacks are performed by a group that tends to steal credit card numbers, it falls upon the security operations team to protect the application or the credit card numbers. All the intelligence gathering and analytics do no good if nothing happens as a result. Security teams that understand that intelligence is both a strategic and tactical operation will get more value from threat intelligence than those that don’t.
“Threat intelligence is the brain. The devices and the rest of the network are the arms, legs, and eyes,” Vincent says.
This story, "Make threat intelligence meaningful: A 4-point plan" was originally published by InfoWorld.