Today, the biggest gap in the cyber security of organizations is that companies work in isolation while criminals are working in collaboration. This is exactly the reason for the sudden rise of the new domain in cyber security what we refer as “Threat Intelligence.”
A couple of years back, the focus of organizations was to get SIEM for a consolidated view of entire infrastructure and minimize the response time. Needless to say, the approach was always reactive. However, in the cat and mouse game between security professionals and cyber criminals, a proactive approach is the need of the hour. From my experience, the problem statement “Threat Intelligence” as a service/platform address to is,
“How do I monitor the bad traffic/activity in my network/infrastructure for which I do not have any rules in place?”
So how does the “intelligence” part of threat intelligence work? “It requires having one foot on the dark side.”
Example questions that consumers of this service are looking to answer include:
Below infographic from Forrester.com is enough to realize the growing market of this new entrant in the cyber world.
After evaluating half a dozen top notch threat intelligence vendors, I could see there are mainly two ways to offer this service/product.
In-House: Organizations who do not want their data to be sent out can opt for in-house appliance-based products. Needless to say, most costly but meets data sovereignty requirements.
Cloud Based: Minimum on budget and no installation/deployment required at the client end. Direct access to cloud-based portal and feeds.
Any new domain appearing in the security space comes with a solution to specific problem and TI is no exception. However, in the race of getting market share, TI vendors are keeping on adding more and more features on the products. Organization looking to opt for TI service need to focus on priorities based on MoSCoW.
Must Have |
a. Feeds |
Malicious IPs, URLS, and Domains with categorization such as Malware/CnC/Spyware/Phishing |
Malicious File Hashes with categorization such as Malware/CnC/Spyware/Phishing |
Malicious File Names with categorization such as Malware/CnC/Spyware/Phishing |
b. A portal to view the dashboards, reports and searching capability. |
c. Easy integration ability with SIEM products. |
d. Advisories on latest breaches, campaigns, threat actors and region/company/sector specific threats. |
e. A credible certainty/threat score for all the feeds. |
Should Have |
a. Real-time monitoring of organization’s public IP/domains |
b. STIX/TAXI/YARA/Cybox support for importing and exporting feeds to and from other products/vendors. |
c. Phishing emails/domains as a feed |
d. Minimum update frequency of one hour for feeds and information in portal |
Could Have |
a. Sandboxing capability for the suspected attachments. |
b. Secure sharing of intelligence in the community and public |
c. Brand protection by searching the darkweb for any data leakage and possible breach |
d. Detailed information about the feeds with actors, targets, sources of identification for getting an idea about motive and mean of attack. |
A Threat Intelligence service must not be considered as a replacement of any existing technology/tool. It is always a supplement not substitute to existing security infrastructure in place. A TI service can effectively be used in conjunction with SIEM in two ways.
Though lots of startups have realized the potential in this space and are in the market competing with the big fish, there are few who are setting the benchmark and can be looked into seriously.
At last, the focus of a SOC must be to optimize the inputs being received, prioritize them and act following 80/20 rule as there’s too much data to make sense of if the organization has limited resource staff of security operations center analysts or threat analysts.
Source: resources.infosecinstitute.com