The Value of Threat Intelligence is Clear, But Are You Capturing It All?

Take Relevance Into Account When Analyzing Threat Data

Parents are nervous. High school seniors are nervous. It’s that time of year again when college decision letters and emails start to arrive. We all know there’s tremendous value in education, and a college degree is a pre-requisite for many career paths. But which school is the best fit? Will your child get the most value possible from his or her college experience?

For each student, what defines and drives value from the college experience is different. It may be studying in an environment where they feel comfortable and can thrive; attending a university that offers a major in a field they want to pursue; having an opportunity to play the sport they love and excel in; or any number and combination of factors.

Likewise, we all know there is tremendous value in threat intelligence, and various factors come into play to create value.

The recent SANS 2018 Cyber Threat Intelligence Survey (PDF) finds 81% of cybersecurity professionals affirm that threat intelligence is providing value and helping them do their jobs better. The millions of threat-focused data points available, the many sources of global threat data we subscribe to, and the internal threat and event data from our layers of defense and SIEMs provide a significant amount of threat intelligence. But are we capturing all the value we can to truly strengthen our defenses and accelerate detection and response?

As I’ve said before, not all threat intelligence is equal. Threat intelligence that is of value to your organization, may not be of value to another. How do you get the most value from your threat intelligence? It comes down to relevance, and that’s determined by your industry/geography, your environment and your skills/capabilities.

Industry/Geography. Threat data focused on attacks and vulnerabilities specific to your industry and geography is much more relevant than generic data that includes threats that target a specific sector and/or region you are not in. External threat feeds such as those from national/governmental Computer Emergency Response Teams (CERTs) and Information Sharing and Analysis Centers (ISACs) organized by industry, can prove useful. Complementing the data in your central repository with data from these types of sources can help reduce noise and allow you to focus on threats occurring locally in your sector.

Environment. Depending on your environment or infrastructure, some indicators are more relevant than others. For example, if your workforce is highly distributed and endpoint protection is key, hashes are important because they enable you to detect malicious files on those devices. On the network, domain names and IPs are more relevant indicators allowing you to track suspicious traffic. To get the most value from your threat intelligence, you need tools that aggregate indicators in a central repository and allow you to augment and enrich them with context, so that you can prioritize and focus on those that matter most to you.

Skills/Capabilities. The amount of skilled cybersecurity personnel you have in place also drives relevance. Larger organizations with more manpower have the resources to chase down threat data with two or even three degrees of separation (i.e., downstream IP addresses, domain registrants, etc). Whereas, organizations without those vast resources must be more selective, investigating only threat data that is active, targeting their industry or associated to known adversary sets. This is where automation and managed security services providers (MSSPs) can help to augment your existing staff and expertise. Automation can help aggregate millions of threat-focused data points into a central repository and translate it into a uniform format. It can also help overlay context by correlating external and internal threat data. You can apply automation to help filter out some of the noise, for example automatically prioritizing data based on parameters you set. MSSPs provide a menu of options – from serving as your entire team, to managing a specific aspect of your threat intelligence program, to providing high value and customized services like threat hunting or incident response.

Every parent wants their child to get the most from their education and a lot of factors contribute to that outcome. Likewise, many factors contribute to the value that can be derived from threat intelligence. As you create your threat intelligence program, make sure you take relevance into account when analyzing threat data and you’ll be well on your way to capturing the full value of threat intelligence.

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.