Security Experts:

The Goldilocks Effect of Cyber Threat Data

In the world of big data there’s something I refer to as “the Goldilocks effect” and it’s particularly problematic when it comes to cyber threat data. Too much data and you’re looking for a needle in a haystack. Too little data and you’re not getting a broad enough picture of the potential threat activity that’s happening globally and locally. Ultimately Goldilocks found the chair, the bowl of porridge and the bed that were “just right” for her. How do you determine the amount and mix of data that’s “just right” for your organization? To answer this question it helps to understand what’s driving the need for data in the first place.

In an attempt to understand increasingly stealthy and malicious adversaries, organizations are turning to threat intelligence that focuses on the world outside of the company perimeter. As they build their threat operations and strive to get the right coverage of intelligence they use multiple data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors. Dealing with this much data, each in a different format, soon becomes overwhelming. But how can you narrow it down?

You’d think there would be significant overlap among data sources but this study by Carnegie Mellon University shows that’s not the case. Analyzing just one aspect of external threat data, the blacklist ecosystem, researchers found that over an 18-month period the contents of blacklists generally do not overlap. In fact, of the 123 lists (which each included anywhere from under 1,000 to over 50 million indicators) most indicators appeared only on a single list. No wonder you feel like you’re looking for a needle in a haystack – you are! At the same time, the report goes on to say, “our results suggest that available blacklists present an incomplete and fragmented picture of the malicious infrastructure on the Internet, and practitioners should be aware of that insight.” So even though you have millions of threat-focused data points, you still don’t have a complete picture, which is why you add more sources.

Exacerbating the situation, you also have a significant amount of internal threat and event data at your disposal. In fact, many security professionals suffer from a phenomenon called ‘alert fatigue’ – getting overwhelmed by the volume of alerts from sources including their security information and event management (SIEM) system, log management repository, ticketing and case management systems. You definitely need to include this data in your threat operations program. Yet recent ESG research finds that 42 percent of security professionals say their organization ignores a significant number of security alerts due to the volume and more than 30 percent say they ignore more than half!

So how do you deal with data overload and figure out the amount of data that’s just right? You need to consider two factors: your risk profile and your resources.

Risk profile: Every organization has a certain amount and type of risk it is willing to accept. Understanding your risk profile allows you to determine what types of threat data you need to acquire and analyze. For example, if you don’t do business in certain countries or industries then you can de-prioritize threat intelligence feeds specific to those segments. If you cull the number of feeds and prioritize based on your risk profile, you may find you can add more feeds over time depending on the capacity of your team and capabilities of your threat operations program. If you don’t have a formalized and documented risk profile then you need to develop one in collaboration with stakeholders across your organization, including business leaders, data and process owners, enterprise risk management, internal and external audit, legal, compliance, privacy, and information risk management professionals.

Resources: Whatever the actual number you acquire, multiple threat feeds are a fact of life for security teams that are already pushed to their limits. You need a way to work smarter, not harder, with a threat operations program that aggregates all your external data in one manageable location and automatically translates it into a uniform format for analysis and exporting. Augmenting and enriching this data automatically with events and associated indicators from inside your environment provides the context to understand the who, what, where, when, why and how of an attack. You can use threat scores to whittle down the data set further. But relying on generic, “global” scores from intelligence feed vendors can actually create noise as well as false positives since the scores are not within the context of your company’s specific environment. A threat operations program that enables customized threat intelligence scores based on parameters you set allows for prioritization based on what’s relevant to your specific environment. Systems can now look for the most important and relevant threats, minimizing alerts that are just noise or are false positives.

Your risk profile and initial intelligence scores should be constantly reevaluated and adjusted as your business and operational environment evolves and new data and context become available. For example, additional intelligence gained over time could raise or lower a threat score depending on the weights and priorities you assign to different attributes – like the threat vector, industry or geography being targeted. If you’re a financial institution and an adversary shifts their focus from the retail sector to financial services, you would want the score to be updated automatically from medium to high. Likewise, if you enter new markets or your attack surface expands as your business model shifts, your risk profile and threats scores will need to change as well.

The Goldilocks effect is something all security teams face and it will only increase as the number and variety of threat data sources continues to expand. By understanding your risk profile and adopting a threat operations program that can adapt to your specific and evolving environment, you can identify and utilize the data that’s “just right” for your organization.

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.