The Science of Threat Intelligence

Threat intelligence, a discipline which is rooted in large-scale analytics, is defining a new attack detection technique that gives security organisations the ability “to recognise and act upon indicators of attack and compromise scenarios in a timely manner,” according to SANS Institute.

It’s a rifle-shot approach to a problem that has foiled previous shotgun tactics like locking down all the doors into the organisation.

Threat intelligence tools monitor network traffic and known vulnerability points to look for indicators of attacks as they progress. They then stitch this information together into a shared knowledge base that can be used to design prevention strategies at a macro level.

A simple example of a threat intelligence event is a failed login attempt. While unremarkable in isolation, a series of failed logins under the same username may indicate an attempted break-in. If the failures occur in rapid succession or if the login credentials show a pattern of easily guessed passwords, then it’s a good bet automation is at work and a large-scale attack may be imminent.

The rise of threat intelligence indicates a shift in the way organisations are thinking about security. But there are still daunting problems to solve. One is sorting out the vast amount of information that needs to be examined.

So it’s not surprising that a recent survey by the Ponemon Institute found that 68%of US IT security managers said their teams spend a significant amount of time chasing false positives. Only 32% prioritise alerts that need to be investigated. In other words, teams are in constant crisis mode, chasing signs of aberration without really understanding what they mean. Only 39% of the respondents to the Ponemon survey rated their ability to detect attacks as highly effective.

Thanks to big data, that may all be about to change. Dozens of vendors are working on solutions using the profusion of new big data analytics tools. These tools are still maturing, but they show great promise to work at the speed and scale that threat intelligence requires.

The good news, as reported by SANS Institute, is that 69% of respondent companies are implementing threat intelligence to some extent, though only about one-quarter are using it extensively. A 2015 Ponemon study found that one-third of security managers expect to increase their threat intelligence budgets significantly.

The greatest gains may actually come from a low-tech approach, however: sharing information. Like networks themselves, the value of threat intelligence grows as a function of the number of sources contributing information. But achieving that kind of harmony isn’t easy. Many companies are reluctant to disclose security information for fear that they could open themselves to attack or inadvertently reveal secrets. The Ponemon study found that only 24% of companies currently exchange threat intelligence with peers in the same industry.

Some vertical industry consortia are forming, and startups like TruStar are experimenting with anonymised reporting. But for now, most threat intelligence activities are confined behind the firewall. It doesn’t make sense for them to stay there, though. Like the open-source software that’s fueling the big data revolution, threat intelligence benefits most from an active community of contributors.

CSO

 

« Indian Police In A Cyberwar
The New US President Must Win the Cyber War On Terror »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Identity Theft Resource Center (ITRC)

Identity Theft Resource Center (ITRC)

ITRC is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime.

Paraben

Paraben

Paraben provides digital forensics solutions for mobile devices, smartphones, email, hard drives, and gaming system.

CERT-MU

CERT-MU

CERT-MU is the Mauritian National Computer Security Incident Response Team.

Quadrant Information Security

Quadrant Information Security

Quadrant Information Security is a consulting firm committed to supporting organizations in all vertical markets and protecting their sensitive data.

Semperis

Semperis

Semperis is an enterprise identity protection company that enables organizations to quickly recover from accidental or malicious changes and disasters that compromise Active Directory.

ERMProtect

ERMProtect

ERMProtect is a leading Information Security & Training Company that helps businesses improve their cybersecurity posture and comply with regulations.

Agesic

Agesic

Agesic is an institution that leads the development of the Digital Government and the Information and Knowledge Society in Uruguay.

Nameshield Group

Nameshield Group

Nameshield is one of most experienced domain name registrars, trademark protection specialists and managers of online reputational risk in the world today.

Private Machines

Private Machines

Private Machines develops unique patent-pending technology protects cloud and data center workloads.

Hex-Rays

Hex-Rays

Founded in 2005, privately held, Belgium based, Hex-Rays SA focuses on the development of fast, stable, and robust binary analysis tools for the IT security market.

BIG Cyber

BIG Cyber

BIG Cyber is a specialized Managed Security Service Provider (MSSP) dedicated to bringing military grade cyber security technology to the gaming industry.

SignalFire

SignalFire

SignalFire invest across both enterprise and consumer sectors at the seed and early growth stages.

Gotham Security

Gotham Security

Gotham Security delivers high-quality penetration testing, malicious adversary simulation, compliance program development, and threat intelligence services.

VP Techno Labs

VP Techno Labs

VP Techno Labs is an award-winning cybersecurity firm focusing only cybersecurity to develop cutting edge solutions for emerging business.

Aegis9

Aegis9

Aegis9 is an Australian owned and sovereign consultancy that specialises in providing tailored security solutions for both public and private sector clients based on their specific needs.

Internet Initiative Japan (IIJ)

Internet Initiative Japan (IIJ)

IIJ is one of Japan's leading Internet-access and comprehensive network solutions providers.