Why good threat intelligence is no longer limited to the security privileged

21 Nov 2018

Image: © raduga21/Stock.adobe.com

Recorded Future’s Chris Pace makes the case for threat intelligence that is accessible to infosec professionals of all levels.

For many organisations, the concept of high-level threat intelligence is something achievable only by the world’s most elite security professionals – secretive governmental organisations and mega-corporations with unlimited budgets. Even among those businesses that do believe threat intelligence is more accessible, it is often seen as a stream of incomprehensible data that can raise more questions or cause more challenges than it solves.

However, while it might once have been limited to the most advanced analysts in the industry, developing technology and a rapidly expanding market mean that threat intelligence can now be accessed by security professionals of any role and experience level.

If it is presented in real time and properly implemented into the organisation’s operations, genuine threat intelligence will provide security analysts with the data and insights they need to tackle advanced threats.

‘With so much data available and so many potential threats to consider, it can be extremely difficult to sort through the security alerts and separate out the false positives and inaccuracies’

A security team armed with access to good threat intelligence can use it to inform actions across the organisation, from security operation centres (SOCs) dealing with daily threats through to high-level strategic decisions by executive leadership.

Enhancing vulnerability management 

With the level and volume of cyberthreats continuing to grow, it has become increasingly important for organisations to undertake vulnerability management assessments to identify and mitigate weaknesses in their systems before they can be exploited by attackers.

Most businesses understand that they cannot completely guarantee security, so vulnerability management efforts generally need to assess how high a security threat an issue presents, and the cost and associated risks of remediation.

Access to threat intelligence can be absolutely invaluable to this assessment, as it allows an organisation to look beyond its own walls and gather context from the wider security landscape. For example, sources might indicate that a particular software vulnerability has been heavily exploited in a recent attack campaign, and so it should be a high priority to patch the related systems. Analysts can also discover potential threats as soon as they emerge and immediately take action. Three-quarters of all disclosed vulnerabilities appear online an average of seven days before they are listed in the National Vulnerability Database, so organisations should not always rely on other sources to alert them of threats.

Dealing with emerging threats

Alongside addressing potential security vulnerabilities in advance, organisations also need to have a strong incident response plan in place to act swiftly when a cyberattack does occur. Good incident response capabilities can make the difference between a minor security incident and a serious breach with major consequences for the business.

However, incident response teams face a number of major challenges, including disjointed technologies that provide overwhelming and fragmented streams of data, and a shortage of sufficiently skilled and experienced security analysts. With cybercriminal strategies proving to be increasingly adept at obfuscating and misdirecting investigations, these issues can greatly slow down incident response efforts and increase the risk of serious damage.

Genuine threat intelligence can help to tackle these challenges by arming incident response teams with the insights they need to make rapid and decisive decisions in the face of an attack in progress. A threat intelligence system that is able to break sources down into relevant and usable chunks will ensure that even small and understaffed teams are able to use the data correctly and act swiftly.

Boosting the capabilities of SOCs

An SOC serves as the hub for an organisation’s security efforts, with the primary focus being the monitoring of security alerts from SIEM (security information and event management), IDS (intrusion detection systems), EDR (endpoint detection and response) and other technologies to identify and respond to security events and incidents.

While they act as the nerve centre for all security data in the organisation, SOCs often struggle with making sense of the sheer complexity and volume of information flowing into them. With so much data available and so many potential threats to consider, it can be extremely difficult to sort through the security alerts and separate out the false positives and inaccuracies.

Threat intelligence provides a solution to this problem not by simply adding more data to the pile, but by providing essential context to the information. Security alerts are filtered to include only relevant data, enriched with vital information to help SOC analysts make sense of the streams of data and make faster decisions.

Genuine threat intelligence for security decision-makers

While threat data is invaluable for tackling daily cyberthreats, a good source of intelligence is also extremely important for the CISO and other security leaders tasked with taking the long view of protecting their organisation.

One of the biggest barriers to a successful security strategy is the balancing act between security demands and available resources. A lack of budget and access to personnel in a demanding security market means it can be difficult to initiate a proactive approach to security rather than simply reacting to incoming threats.

The context that comes with genuine threat intelligence enables decision-makers to see the big picture of the current threat landscape and be confident that they are allocating resources in the most effective way.

However, while threat intelligence can improve everything from incident response to long-term corporate security strategy, these benefits can only be fully realised with the right kind of intelligence. To truly make a difference, intelligence must be comprehensive, relevant, contextualised and integrated. Companies investing in threat intelligence without these factors will likely only be gaining yet more noise.

By Chris Pace

Chris Pace works as a content and product marketing director at Recorded Future, engaging and educating audiences on the power of real-time threat intelligence using his experience delivering security solutions to all kinds of organisations. Before beginning a career in information security, Pace trained as a broadcast journalist and also has worked in IT departments in the public and private sectors.