+
EDITOR’S QUESTION
/////////////////
JOHN SHIER,
SENIOR SECURITY
ADVISOR, SOPHOS
Importance of cyberthreat
Intelligence in combating new
age threats
Information sharing of any kind is always
useful while fighting threats. When done well
it can force adversaries to continuously revise
their tools, tactics and procedures. For once,
we can turn the equation around and make
the bad guys spend resources trying to get
around our defences.
For example, instead of having one
successful strategy to compromise an entire
sector, maybe by applying some controls
based on good threat intelligence we force
them to spend time conjuring up 50 or 100
different strategies.
How to choose the right
intelligence provider?
Decision makers need to start by looking at
two things: which threats are most prevalent
and disruptive to the business and how will
the intelligence be acted upon? If you are
in the financial sector there’s no point in
worrying about threats targeting retail or
industrial control systems. Once a particular
threat intelligence product is selected,
will you have the necessary resources to
extract value from and operationalise the
information? An organisation should not
start consuming threat intelligence until
they are prepared to act on the information
they receive.
Organisations should also start slowly
and assess their capabilities over time.
www.intelligentcio.com
It doesn’t make sense to sign up for 10
different feeds if all that means is the
security staff are overwhelmed by useless
data and false positives.
Organisations need to identify
the useful and relevant feeds that
can be integrated within their
security operations
The most important aspect of buying threat
intelligence is to understand what makes up
the feed. Is it an unstructured list of IPs and
domains or a curated report of tools, tactics
and procedures? Is the intelligence up to
date and relevant to the industry? Consider
first looking at what threat intelligence
already exists in your own organisation.
Are you already taking advantage of the
information you are currently gathering?
Once you’ve identified your requirements
for additional threat intelligence you will
need to come up with a process for ingesting
and acting upon it. That means having the
right human resources to understand the
information and apply the right controls.
It might be great to add a list of known
malicious IPs to your firewall but what
happens when the criminals change tactics,
which they often do? Or what about the IPs
you don’t yet know about? All this running
around adding and removing IPs from
access lists is time consuming and can drain
your security personnel.
Threat intelligence should provide you with
actionable threat intelligence, industry
specific campaign information and strategic
guidance. It’s up to each individual
organisation to assess whether a particular
threat intelligence product meets their
specific requirements.
Common challenges that security
teams often face when it comes to
analysing and taking action on the
threat data they have
It comes down to a couple of factors:
quantity and quality.
Walk around a security show today and
you will find an overwhelming amount of
vendors selling threat intelligence. The
old adage of ‘you get what you pay for’
certainly applies with threat intelligence.
There are plenty of free and low cost feeds
out there but what is the quality of the
information they provide and how many
IOCs (indicators of compromise) need to be
manually processed?
Finding the right balance of quality and
quantity is very important for security
to effectively use threat intelligence.
Machine learning can help triage incoming
information but there still needs to be
human input. It’s going to be humans that
will take the intelligence and turn it into
processes, policies and controls after all. n
INTELLIGENTCIO
37