Defending your business and customers against cyber threats starts with understanding what you’re up against. That may sound pretty obvious; studying the adversary is a common practice. In sports it’s done all the time. Teams watch hours of game film of their upcoming opponents to understand strengths and weaknesses and devise winning strategies and plays. Medical professionals do this too. For complex procedures, surgeons study medical models and CT or MRI scans to come up with a detailed plan that accounts for potential difficulties or findings that may arise during the operation. But when it comes to cyber security, instead of looking outward, we’ve become accustomed to traditional security approaches that start at the perimeter and focus inward. In today’s increasingly connected and digital world we need to expand our perspective to look outside the walls of the enterprise as well.
The attack perimeter is rapidly expanding largely due to mobility, the cloud, and the Internet of Things (IoT). Every new tablet, cloud-based app, or IoT device creates new opportunities for adversaries to use new techniques and new targets to launch attacks. In response we layer more defenses and, when we can, create another ‘perimeter’ around every new device. This focus on company boundaries keeps us looking inward, grappling with dozens of security tools while playing a game of whack-a-mole, seeing and reacting to events inside the network.
To help you understand your adversary, threat intelligence focuses on the world outside of the company perimeter. It sifts through an unlimited universe of threat data to help you see what is happening, analyze it, and take action. It allows you to become more proactive and anticipatory by profiling not only the attack, but attackers who rapidly change their tools, techniques, and procedures (TTPs) to evade defensive technologies.
There’s a lot of talk about threat intelligence. Security teams are either being told by their management to get it, or they’ve attended a conference and realize they need to add threat intelligence to their security program. Many organizations are in the midst of creating their own Security Operations Centers, incident response capabilities, and threat intelligence teams. As they build their threat intelligence operations they acquire multiple data feeds, some from commercial sources, some open source, and some from their existing security vendors – each in a different format. Lacking the tools and insights to automatically sift through mountains of disparate global data and aggregate it for analysis and action, the data just becomes more noise. Organizations are unable to move away from reactive defense, to an intelligence-driven approach to security – one where intelligence can be used across all layers of your security infrastructure for an integrated defense and integrated response.
It’s a situation that’s eerily similar to the trajectory of traditional defense-in-depth security programs. Security teams have become hampered by point solutions retroactively applied to defend an expanding attack surface. With technologies and tools that don’t integrate or share information, they’re bogged down by complexity.
To avoid a similar scenario, intelligence-driven security starts with changing how we collect and manage the millions of points of threat data that analysts are bombarded with every day. To establish a solid foundation for intelligence-driven enterprise security, what’s needed is a different way to bring all this global data together in one manageable location, translate it a uniform format, and correlate it with local data, events, and context. With all your threat data in one place and usable for ingestion, analysis, and exporting, you’re well on your way to expanding your security perspective to better defend against cyber threats.