Security

Busting common threat intelligence myths

By Chris Pace, Technology Advocate at Recorded Future
Security
Published: 28 June 2018

There are plenty of misconceptions surrounding threat intelligence, one being that it is only for elite security analysts, another that it causes more problems than it solves. These misunderstandings risk leading many security professionals to believe that bringing threat intelligence into their role is not advantageous. Even though many organisations want to better understand the threat landscape and proactively use intelligence, there is also a clear struggle in practically applying threat intelligence to security.

Common misconceptions explained
Some of the common assumptions around threat intelligence are as follows:

“It’s only for elite analysts”

Nothing could be further from the truth. Threat intelligence is about giving security professionals in any role or with any amount of experience the context and information they need to respond quickly and proactively to new threats.

“It’s just a bunch of PDF reports or streams of data”

Just like any other tool, intelligence can be good or bad. Genuine threat intelligence is real time, stripped of false positives, and present in a format designed to drive effective decision making.

“It causes more problems than it solves”

Poorly implemented threat intelligence risks being counterproductive and burying analysts under a mountain of false positives. Well-implemented threat intelligence does the reverse. It integrates with existing security technologies to provide analysts with what they need, where and when they need it.

Where does threat intelligence fit in?
Threat intelligence is about obtaining insights that inform action, and it is these insights that make threat intelligence an incredibly useful asset for every area of an organisation’s security strategy. To name a few, threat intelligence can be applied in security operations centres; incident response; and vulnerability management.

Security operations centres
The role of security operations centres (SOCs) is typically tailored to the specific needs of their organisation. Common responsibilities include: Incident prevention, detection and response; regulatory requirements; oversight of security people, processes, and technologies; and policy and process management. But there’s one duty that is near-universal to SOCs everywhere: monitoring security alerts from SIEM, IDS, EDR and other technologies to identify and respond to security events and incidents. In doing this, SOCs face four primary challenges: internal data is of limited use in isolation; the volume of alerts is overwhelming; it’s hard to identify what is important; and false positives and inaccuracies in external data are crippling.

Threat intelligence is a tailor-made solution for the difficulties faced by SOC analysts. By enriching incoming alerts with vital information and context, threat intelligence helps SOC analysts quickly cut away false positives and inaccurate information, while informing better and faster decision making.

The single greatest challenge for SOC analysts is time pressure — there is simply no time to be wasted. Therefore, a threat intelligence capability must go beyond providing mere data, which is already available in unmanageable quantities.

Incident response
The function of incident response is simple: to prepare for and respond to cybersecurity incidents. Many organisations are striving to make their incident response lifecycle faster and more proactive, but there are some matters that complicate this area of security. Vital information is often scattered across multiple sources, and speed is important as a delay in detection or response means greater loss.

Incident response teams generally face four major challenges: the cybersecurity skills gap; the increasing volume and sophistication of cyberattacks; increased response time due to overwhelmed analysts; and processes often reliant on disjointed technologies. However, threat intelligence can address these problems.

An analyst’s ability to respond to threats is proportional to their knowledge and experience however, threat intelligence arms analysts at all levels. Genuine threat intelligence provides incident response teams with only the insights they need to make better decisions, enabling analysts to handle incidents faster, more effectively, and more reliably.

Vulnerability management
Addressing a vulnerability focusses on two key concerns: how much of a security risk does this present and, if remediation requires a change to some aspect of infrastructure, what’s the risk of something breaking?

75% of all disclosed vulnerabilities appear online an average of seven days before they are listed in the National Vulnerability Database (NVD). That’s quite a head start for cybercriminals, so quick remediation is crucial. Threat intelligence helps take vulnerability management to the next level by providing the intelligence and context necessary to make risk-based patching decisions, and therefore aids the rapid remediation that’s required.

Threat intelligence for CISOs and security leaders
CISOs and other security leaders have a huge amount of responsibility within their organisation. It is, after all, their job to ensure the entire security function runs smoothly, and that the security, integrity, and availability of the organisation’s intellectual property and IT assets is maintained.

Perhaps the greatest challenge for CISOs and security leaders is how to balance available resources against the need to secure their organisations against an ever-evolving cyber threat. Threat intelligence addresses these issues by helping them to build a picture of the threat landscape, accurately calculate cyber risk, and arm security personnel with the intelligence and context they need to make better, faster decisions.

Genuine threat intelligence
Threat intelligence can be operationalised in a variety of roles and can play a central part in developing a proactive security strategy. Threat intelligence has the potential to add huge value to the processes mentioned above, but in order for this to happen it must display some key characteristics: it must be comprehensive; relevant; contextualised; and integrated. When armed with the right intelligence tools, security personnel across all functions and experience levels can work faster, more effectively and more reliably than ever before.