Why do we need security insights and not just Intel threat
For organizations struggling to defend against today’s onslaught of cyberattacks, data can be both a blessing and a curse. Companies rely on data they obtain from external sources, such as Cybersecurity and Infrastructure Security Agency (CISA) alerts, vendors, and threat intelligence feeds. However, all of this information can be overwhelming if you don’t know how to use it. Meanwhile, businesses often overlook important data that resides in their own environment.
To use threat intelligence effectively, you must first understand what is happening in your own environment and how your employees are using network resources. In this context, you can interpret, customize, and apply threat intelligence in a way specific and unique to your organization. This tailored baseline allows you to identify anomalies in your environment and the problems they cause. All the external threat data in the world won’t help you if you don’t know what your internal systems are supposed to do.
In general, we rely too much on products to solve our security problems. Security teams have become consumers of security alerts, not practitioners of security know-how. As security professionals, it is not our job to watch the great and mighty Oz but to look behind the curtain.
For example, antivirus and endpoint detection and response (EDR) tools help security teams reduce log noise, keep tabs on endpoints, and identify known threats, but they won’t identify not all threats in your environment. Relying on traditional tools alone is virtually a guarantee of failure. Sophisticated attackers reverse engineer the same tools you rely on to protect your systems. They know how these tools work, what their capabilities are and what their weaknesses are. Why should the attacker know more about your systems than your security team?
Use these tips to turn your threat intelligence into security insight:
1. Use multiple data sources. Sure, take advantage of threat intelligence feeds and CISA alerts, but know their limitations. Threat intelligence feeds contain limited types of information – tactical, technical, IP addresses, domain names, or file hashes – and by the time you receive the alerts, the information may be months old. New information should be leveraged not only against how your systems are today, but also against how they were in the past. By being able to visualize information over time, you achieve a new level of security awareness and confidence in your continued security integrity.
2. Make data actionable. Security professionals often don’t consider threat information useful because it typically lacks context. A list of IP addresses is just data if you don’t understand why (and when) addresses are considered bad. Organizations often subscribe to more than a dozen feeds, which means they will potentially get millions of pieces of information daily. The majority of this information will lead to false positives or be irrelevant to the organization’s business. The cost of this is double. First, there is the cost of using this information in your security equipment. Imagine trying to match millions of Indicators of Compromise with EDR log volume, network detection and response, and intrusion detection systems. There is also a cost associated with dealing with these red herrings.
The best solution is to view threat intelligence obtained from third parties as a springboard for analysis, not the end result. For example, a stream might indicate that a file with a particular MD5 hash is malicious. Although your systems may not contain this exact file, they may contain variants unknown to the feed provider. Understanding the similarities and connections of what exists in your environment and how far apart they are from the data in threat intelligence feeds is the next evolutionary step to becoming a true security practitioner.
3. Adopt a security-aware mindset. Threat intelligence isn’t something you have, it’s something you make. Don’t blindly buy a security product just because it exists; understand how it works and its limitations. Ask yourself the question: “How could an attacker escape it?” Security consumers would never ask such questions, while practitioners interact with teams and functions. They break down team siled thinking and facilitate two-way knowledge sharing. What a responder may attribute to “strange activity” could shed light on an active threat search case.
Functional walls around the security operations center (SOC), incident response, and search teams interfere with effective communication and information sharing. All three should inform each other in real time. They use different tools. For example, SOCs use SIEMs, IR uses forensic tools, threat informants use threat intelligence platforms. Leaders need to formalize an operational structure that breaks down silos and reduces tool fragmentation that prohibits security awareness across teams.
Threat intelligence is great, but if you’re locked in a silo, its effectiveness is reduced. If you can break out of silos and apply context, intelligence can be transformed into actionable security insights specific to your organization. And for that to happen, a top-down appreciation of the value of that is required from the CEO and board down to security practitioners.