You are threat intelligence in action. From the time you wake up in the morning until you fall asleep at night, you are incredibly efficient at processing situational data to make decisions. Some decisions, such as what to wear for the day, are driven by the current data available: scheduled activities, the morning weather report, even fashion news. This is valuable information worth considering. So, if all the hard data points to a pleasant day, why might you pack an umbrella? The answer is intuition. You toss that umbrella in the car because some aspect of the current hard information matches a historical pattern in your brain. You have a “gut feeling” that if you don't take the umbrella, you might get wet. Will the downpour occur? Whether it does or not, you have mitigated the threat by combining observation with intuition based on experience.
In order to combat cyber threats effectively, you need a threat intelligence approach that does the same – one that both identifies solid threat data (such as a specific malware signature) and matches this data to an established pattern (such as the behavior of past malware).
Unfortunately, this is easier to state than to implement. Many professionals have well-established, automated threat intelligence programs that operate at scale. But for some, the ability to act based on data and intuitive decision-making through pattern matching is either immature or nonexistent. Awareness of the opposition – not just the attack, but also the attacker, their tactics and infrastructure – and the ability to quickly prioritize and address the threats they pose are clearly beneficial. However, even with a wealth of vendors, varied approaches and related educational outreach to potential customers, determining what you need to get your threat intelligence program started can be daunting.
...determining what you need to get your threat intelligence program started can be daunting.
Due to the expansion of threat intelligence strategies, tactics and applications, this is an exciting time for security professionals, but it can also be overwhelming. When considering your program's needs, begin with the following steps:
Define what threat intelligence means to your organization and the objectives you want to achieve. At the very least, define how you will use information regarding relevant threats to your information assets to manage response.
Use curated threat data if possible. This is data that has context relevant to your systems, vulnerabilities, geography and business vertical.
Leverage expansive threat intelligence repositories. This is data that can serve as historical sentinel memory. It effectively provides attacker and attack information pattern matching, enabling automated security intuition.
Use an aggregation point for analysis. Depending on whom you ask, a “single pane of glass” is either the Holy Grail or a fool's errand. But whenever you can consolidate current hard data intelligence with curated pattern data, do so. For example, when you examine events in an anti-malware console, you combine specific attack signatures (hard data intelligence) with curated Big Data about attacker infrastructure and behavior (curated data intelligence). It is the blending of these intelligence types that allows you to make effective decisions.
Staff or contract an experienced security analyst. Empowered to react, an analyst with access to relevant threat intelligence is the most valuable security resource in your program.
Combining what the security market has to offer in the areas of threat intelligence and services with your own organization's security analysts' capabilities results in a powerful security intuition mechanism.
Daniel Polly is VP, enterprise information security officer at First Financial Bank.