I think the creators of The Prince’s Bride didn’t know the quote from Inigo Montoya – you use that word a lot. I don’t think it means what you think it means. – will be widely quoted over the years. It reflects the lack of connectedness that I believe underlies many human interactions: the assumptions we all make when we engage in discussions that can prevent us from really hearing and understanding. This bias can be so strong that we are not even aware of the influence it has on our ability to have meaningful discussions.
An example in the world of cyber security is when people talk about threat information. It’s a loaded, even poisonous term. I know this is the last word and the last point of view, but listen to me. People are biased about what threat intelligence is, so they make assumptions in conversations, and those assumptions are rarely taken into account, let alone discussed. There is no other way to improve safety. We must open our minds and examine these basic assumptions.
So let’s start with Gartner’s definition of threat intelligence and work our way out:
Threat information is evidence-based knowledge, including context, mechanisms, indicators, impact and action-oriented recommendations related to the current or emerging threat or asset vulnerability that can be used to make decisions on how an actor should respond to that threat or vulnerability.
However, many simply equate this definition with external sources of threat data. Assumes and filters that threat data is equivalent to external threat data. But what about the internal data – the telemetry, the content and the data generated by each layer of our security architecture, which is free? Read the Gartner definition again. The definition does not refer to external or internal data, but to knowledge and context.
If you define threat data collection as external data, you cannot evaluate or fully utilize threat data collection. Think about it. Organizations use multiple external communication channels in their secure work environment, and as two separate reports have shown, the Carnegie Mellon University study I referred to earlier and the new studies presented at the 29th Annual Meeting of the International Security Council in London are the most important. USENIX Security Symposium, the content was almost identical. A recent study even found virtually no overlap between the two main suppliers and the four main open threat intelligence channels. Even in the case of 22 specific threat actors – which, according to both providers, are being monitored – there was only an overlap of 2.5% to 4.0% between the indicator bands. Without being able to filter all this disparate content, security analysts end up drowning in the data. But when you start with internal data, events and telemetry and add external data to put the information from internal systems in the right context, something special happens. You understand its relevance and can focus on what is a priority for your organization. With a more complete picture of what’s happening in your environment, you can more effectively identify threats and respond to them. The value of threat information is undeniable. This is simply not possible if data on external threats are considered in isolation.
By combining internal and external threat data, you can create a customizable data set for your organization. You can start by viewing the threat information being monitored as an opportunity, not just as a power source that can be created in the Security Operations Center (SOC). This intellectual ability will be the basis for a number of applications, such as spear fishing, threat hunting and incident response, to achieve an exponentially higher value.
Let’s take the example of a simple incident scenario. The SIEM warning indicates a connection to the device with an unknown IP address. You can find out the context of the device and the user of the device by requesting the Active Directory. If the device is owned by a Level C employee, it may increase the priority of the incident. You can also examine your ticketing system, terminal point detection and response (TDR) tools, sandbox or other systems to determine whether an indicator has been detected, increase priority and collect relevant information. Additional external data can then provide context, including the assignment of that IP address to a particular campaign, the tactics, methods and procedures (TTP) associated with that campaign, other artifacts that need to be found and the actions that need to be taken. Analysts can quickly get a more complete picture, better understand the incident, react more effectively and strengthen safety positions.
We must dispel assumptions that limit the information about threats and thus the effectiveness of the NCS. When intelligence becomes a possibility, not just a subscription to a channel, we can use the full value of intelligence as a basis for security operations. And it starts with the internal data – it’s free!
Mark Solomon is director of marketing at ThreatQuotient. She has a solid experience that has contributed to the growth and team spirit of fast-growing security companies and has led to the success of several cash events. Prior to ThreatQuotient, he was vice president of security marketing at Cisco after acquiring Sourcefire for $2.7 billion. While working at Sourcefire, Mark worked as CMO and SVP. He has also held executive positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Mark is also a consultant for several technology companies, including Valtix.
Mark Solomon’s previous columns:
dns spoofing tool,how to prevent dns spoofing,dns cache poisoning attack tutorial,dns cache poisoning infoblox,https spoofing,what problem is http solving?