With Transparency and Customized Scoring, You Cancel Out The Noise That’s Distracting Your Threat Intelligence Team
Whenever I get on a plane, I’m grateful for my noise-canceling headphones. They filter out distracting sounds and conversations so I can focus on whatever I need to – a podcast, an audio book, or catch up on work or sleep.
It got me thinking about the unwanted noise organizations are dealing with as they build their threat intelligence operations and acquire multiple data feeds, some from commercial sources, some open source, and some from their existing security vendors. And let’s not forget the internal data and intelligence. Talk about distractions! Lacking a way to deal with data overload, the data quickly becomes noise. Security operations and threat intelligence teams need the equivalent of noise-canceling headphones so they can focus on the data that matters to them.
One way to filter out noise is by using expiration strategies, which I discussed in my previous column. Another important aspect is prioritization through risk scoring. Many threat data feed and security vendors publish risk scores. But because they must cater to customers across all verticals, these scores are generic and lack company-specific context, which dilutes their relevancy. To make matters worse, you may not have visibility into why the score was assigned so you can’t make an intelligent decision as to how, or if, you should use that data. Your team could end up spending hours mitigating risk against an adversary or attack that may not even be targeting your industry, let alone your company.
However, there are strategies you can use so that the risk score is more relevant and useful within your specific environment.
To control your own destiny and squeeze every ounce of benefit from threat intelligence, you need to start with scores that you can customize based on parameters you set. This empowers you to redefine how scores should be calculated.
These parameters are driven by multiple factors, including:
• Indicator source
• Indicator type
• Indicator attributes or context
• Adversary attributes
The ability to customize the threat intelligence score allows you to prioritize threats to your organization (thus removing noise at the same time) and continuously re-align intelligence to your own risk posture. Let’s take a closer look at how.
Threat intelligence providers offer “global” risk scores based on their research and visibility, so you can’t simply take them at face value. In order to truly maximize your threat intelligence you need to be able to recalculate scores when needed, before you bring the threat data into your environment. With your own set of predefined scoring parameters you can do this. For instance, if an indicator has a risk score for the retail sector and you’re a financial services firm, the score shouldn’t translate directly. It still may pose a threat, but not at the same level as the industry being targeted. You need to be able to refine the score based on your own vantage point and not that of the provider.
The initial intelligence score is important, but you also need to be able to constantly reevaluate that score as new data and context become available. For example, if a pre-existing indicator “re-enters” the system, the fact that a second (or third or fourth) source is reporting it, means you need to take a fresh look at the score of that indicator. Additional intelligence gained over time could raise or lower the threat score depending on the weights and priorities you assign to different attributes – like the threat vector, industry or geography being targeted. In the earlier example, an adversary may have shifted their focus from the retail sector to financial services, so you would want the score to be updated automatically from medium to high.
The ability to redefine, recalculate and reevaluate threat scores for your specific environment allows you to take a more strategic approach to how you use that threat intelligence – deploying the right intelligence to the right tools with greater confidence and reliability. For example, intelligence with higher threat scores can be deployed to blocking technologies (firewalls, IPS, etc.). Intelligence that poses less of a threat can be distributed to detection technologies (IDS, netflow, etc.). This helps minimize false positives while stopping real threats faster to optimize the use of existing, and often overburdened, resources.
Prioritization of threats comes down to understanding how the score was calculated along with the ability to apply a scoring methodology aligned with your own risk posture and based on your resources, tools and other team priorities. With transparency and customized scoring, you can make sure you’re cancelling out noise that’s distracting so you can concentrate on what really matters to your organization.
Related: What is Your Signal-to-Noise Ratio?