What’s marketed as threat intelligence isn’t always true to the label. Here’s how to know if what you’re getting is up to the task of protecting your business.
The saying “ask and you shall receive” seems to need a footnote or two these days. Make sure the furnishings you’re ordering aren’t meant for a doll’s house. Remember that romantic poem, roses are red; spring onions are green? And quite who would be the happy recipient of this ‘magical’ Christmas mug, we’ll never know.
Threat intelligence can also be a case of ‘wrong item delivered.’ There are many products out there described as threat intelligence that aren’t. And customers might not realize they’re not getting what they asked for. So how do you give your threat intelligence an intelligence test?
Threat intelligence is data analyzed
Threat intelligence identifies and analyzes cyber threats aimed at your business. The keyword is ‘analyze.’ It means to sift through piles of data, spot real problems by looking at context and put in place a solution specific to the problem.
It’s most often confused with “threat data.” Threat data is a list of possible threats, without analysis of context or tailored solutions.
Threat intelligence should captivate your security team
Once upon a time, there were IP and URL blacklists. Early security products would just refer to these blacklists to warn of a dangerous IP or URL. Over time, the amount of threat data grew exponentially. It became difficult to define what was a real threat and what wasn’t. Security software wasn’t designed to process so many indicators of compromise, like malicious file hash sums, domains or botnet server addresses.
Some products marketed as threat intelligence include threat feeds and indicators of compromise, but without context – they’re just vast amounts of raw data.
This is a problem. Giving security operations such ‘intelligence’ will cause too many false security alerts. Alert fatigue has a serious impact on the overall security of your company. Research found 52 percent of security alerts are not investigated.
Reams of unprocessed, unstructured raw data shouldn’t even be called ‘useful,’ let alone ‘intelligence.’
And data, however relevant, is useless unless it has context and can be acted upon. With true threat intelligence, an InfoSec team can stop a breach early and protect a network, or realize they’re just seeing everyday malware that doesn’t pose a serious threat.
Threat intelligence should tell your future
Identifying yesterday’s threat is history. Threat intelligence now focuses on the quality of data sources. It’s not enough for data to bring insights but not give guidelines for decisions and actions. And when its quality is limited by lack of sources – such as not seeing into the darknet, or lack of global, multilingual reach – it can’t be processed into effective threat intelligence. Intelligence must be able to predict how your business should prepare for and combat future threats.
Threat intelligence should adapt to your organization
A threat intelligence solution must be able to adapt to an organization’s security needs. It must guide the organization to set up internal data collection points around critical assets. It then matches that data with external threat intelligence to identify threats.
Without this targeted approach, it won’t succeed in prioritizing information needed to defend key assets. As Helen Patton, Chief Information Security Officer (CISO) at Ohio State University said in a 2019 Forbes article, “Threats are only a threat in the context of the risk to the business itself.”
Threat intelligence can be acted on
Threat intelligence is something you can act on. It must integrate multiple sources of information into an organization’s security operations, through a single point of entry.
To be effective, the organization must be able to use both machine-readable and human-readable threat intelligence. Its delivery methods and formats must allow it to be smoothly integrated into existing security workflows.
Is it threat intelligence, or just threat data? Here’s the test: It must be able to be processed, integrated and converted into information you can immediately act upon.
It must give unique insights into emerging threats, so security teams can prioritize alerts, maximize resources and accelerate decision-making. Does your organization’s threat intelligence pass? If not, it’s time to get what you were promised.
This article was published in April, 2020.