Attackers are expanding their tactics, users are unknowingly aiding attacks, and breaches are now the new normal. Remaining undetected for longer periods of time, attacks are more difficult to stop. During that time, sensitive customer information and intellectual property is compromised, putting a company’s reputation, resources, and value at risk. How quickly defenders can detect and respond to a breach can mean the difference between a nuisance and a nightmare. To deal with this evolving threat landscape, over the last few years there has been a shift from traditional event-driven security and response programs to an approach enabled by intelligence.
It is similar to the shift we’ve seen in how we protect our communities from criminals. Think Dragnet versus CSI. We’ve gone from labor intensive and local to technology driven and pervasive. In the old days we relied primarily on officers patrolling the streets and calls from concerned citizens to report crimes. This still provides a strong baseline of protection. But to supplement these methods, federal, state, and local law enforcement now work together using advanced tools and techniques to gather data and corroborate information in order to capture the most elusive and often most dangerous criminals.
In the same way, to more effectively counter attacks to our IT infrastructure we can no longer rely exclusively on event notification of known threats. We also need better intelligence about emerging threats as they unfold. But the challenge with intelligence-led security lies in the ability to reliably and consistently collect the right intelligence; validate, manage, and correlate that data; learn about attacks; and then act.
In a world where data exfiltration can take only minutes but discovery can take months or even years, reducing time to detection (TTD) and time to resolution (TTR) are now measures of security effectiveness. Threat intelligence is critical to accelerate security and response programs, but it must have the following attributes:
Tactical: Reliably and consistently collect the right intelligence from the right and trusted sources, manage and correlate that data, learn what adversaries are doing, and take action – all while using a risk-based approach to dictate how to act upon and share this information. The volume of data can be overwhelming, so it needs to be in a format that can be easily consumed and acted upon.
Contextual: Indicators are not considered to be atomic elements, such as IPs, and need to be defined as a collection of elements that requires context to be applied to it. This context can be based on region, vertical or historical distribution, and can work in concert with Indicators of Compromise (IoCs), feeds or other enrichment. For example, if you operate in the financial services industry you need the most up to date information about threats that are targeting your sector and not the retail industry.
Automated: Automated intelligence creation allows organizations the ability to seamlessly consume atomic and contextual threat content for the creation of actionable and specific intelligence. You shouldn’t have to press a button to retrieve it; threat intelligence should continuously feed into your environment to ensure its effectiveness. Automation also supports the sharing of content between trusted entities for faster collaboration and decision making.
Complementing global threat intelligence, local intelligence – based on correlation and analysis about a company’s infrastructure – provides additional context and the information necessary to take more informed security actions. This requires visibility across today’s modern networks which go beyond the traditional perimeter to include data centers, endpoints, mobile, virtual, and the cloud. These networks and their components constantly evolve and spawn new attack vectors, including: mobile devices, web-enabled and mobile applications, hypervisors, social media, web browsers, home computers, and even vehicles. Comprehensive visibility into the devices, users, applications, and systems that connect to your extended network day in and day out enables you to correlate seemingly benign events and apply intelligence to identify and stop threats.
To reduce TTD and TTR, threat intelligence must be tactical, contextual, automated, and easily shared. And it must span the extended network and new, connected devices. With these attributes it empowers security technologies and security services teams with an intelligence-led approach to security and response to more quickly thwart today’s advanced attacks.