Like a canary in a coal mine, automated threat intelligence can sound early warnings of toxic threats to the network, reports Steve Zurier.
There's no turning back. The threat landscape has progressed to the point where security managers have little choice but to use a broad mix of threat intelligence tools from multiple sources.
Today, Raymond James Financial has a large security staff with about 10 percent of its security team dedicated to threat intelligence, says Andy Zolper, the company's CISO.
Zolper says his organization uses threat intelligence from the Financial Services Information Sharing and Analysis Center (FS-ISAC), as well as open source and other commercial sources of threat intelligence.
FS-ISAC runs as one of 24 organizations formed around vertical industries to share threat intelligence. With more than 4,000 member firms, FS-ISAC has arguably become one of the most mature and effective ISACs, but there are other active ISACs doing good work in the automotive, aviation, defense, and transportation fields, among others.
“I'm a big believer in the ISAC model,” says Zolper. “We are a very active participant in FS-ISAC. With FS-ISAC, I have the opportunity to learn from others before I see the same attack tried again on me. But you have to be plugged in and wired to respond extremely quickly.”
Zolper (left) breaks down the threat intelligence he receives from FS-ISAC into three areas: tactical, operational and strategic.
For tactical intelligence, he uses the indication of compromise (IOC) feeds provided to Raymond James by FS-ISAC. On the operational side, the Raymond James threat intelligence team attends the weekly threat intelligence calls FS-ISAC holds. They also hold frequent chat sessions with FS-ISAC, a service that's open all the time. Finally, for strategic information, FS-ISAC holds two conferences each year where they review ongoing threats and provide information on emerging threats.
“It's here we learn strategic information about what nation-states are up to, as well as anything new with organized crime entities,” Zolper says.
The ISACs are good, but Zolper points out that it takes much more than receiving threat feeds from FS-ISAC to actively secure the company's network.
Raymond James Financial takes the IOC information from FS-ISAC and feeds it into an aggregation tool, which parses the information and makes recommendations on what actions to take. The information then goes to the company's SIEM, which can set rules to block specific threats. The company also has a separate system that collects threat intelligence on all its firewalls and has been set to run automated remediations in the event the system finds malicious or infected code.
Jon Oltsik, a senior principal analyst who covers IT security at the Enterprise Strategy Group (ESG), says security managers are looking for “actionable” intelligence. He says they want to get some output – such as faster response time or automated remediation – out of the threat intelligence data.
“Generally, security managers start with some type of SIEM tool or managed security service,” Oltsik says. “From there, they tend to purchase individual analytics tools for endpoint and network security. There are also emerging tools – such as threat intelligence platforms and incident response platforms. However, these last two tend to be limited to the high-end of the enterprise market.”
ESG research indicates that while more organizations are focusing on threat intelligence, it's still not an automatic tool in use by security departments, such as anti-malware tools, firewalls or log data.
According to ESG, 21 percent of organizations say they have more than five years of experience with their threat intelligence programs, while 39 percent of respondents said they had between two years and five years of experience. However, a sizeable population – roughly 40 percent – have far less than two years of experience with threat intelligence.
And, in perhaps a more telling number, only 43 percent of organizations surveyed by ESG said they had in place dedicated skilled staff, well-organized threat collection and analysis and formal threat intelligence processes.
Take Raymond James, for example. It has only had a formal threat intelligence department for the past 18 months – and it is a financial company with more resources than many organizations.
Alex Wood (left), CISO at Pulte Financial Services, the mortgage, title and insurance arm of Pulte Homes, says while his security team also feeds the FS-ISAC information into a SIEM and gets some good results reducing false positives, he's looking for more targeted information.
“And while it's great to get information about what's happening on the Dark Web, what's more important is getting information that's relevant to our company,” Wood explains.
“Data that would be of value would consist of conversations around my company or bad actors talking about my company.” Wood adds that Pulte Financial Services has set some money aside to purchase such a tool in the next three to six months.
“Eventually we want threat intelligence to tell us where the next attacks will come from,” Wood says. “If SSL encryption is under attack right now, then we need to know that before it becomes a problem.”
A daunting landscape
Craig Lawson, a research vice president at Gartner who covers a variety of security topics, including threat intelligence, agrees that the industry has to head in the direction Wood suggests – namely, the notion of strategic information that can identify and remediate threats autonomously.
“The industry will get there, but it will be over the next 12 to 18 months,” he says.
Meanwhile, the threat intelligence market offers an array of daunting choices. Lawson says there are more than 140 providers today coming at threat intelligence from all directions. There are companies, such as Digital Shadows and Flashpoint, that do threat intelligence, and then there are mainstream security companies, like Palo Alto Networks and Check Point Software, that have their own take on threat intelligence and integrate elements into its legacy products.
Companies can also go with open source threat intelligence, or threat intelligence from one of the ISACs or the Computer Emergency Readiness Teams (CERTs), and feed it into their SIEM. Or, they can go with Looking Glass, a threat intelligence platform that through acquisition also handles threat intelligence services, such as brand protection and executive physical security, machine-readable threat intelligence and reverse engineering and remediation.
Peter Clay, CISO for Qlik, uses Pierce Matrix because it gives him reliable threat intelligence that his security team can act on. He says that in the past, the company used industry-led tools and open source feeds on an ad hoc basis, but found that the accuracy of the threat information was insufficient.
“Pierce Matrix lets us set a baseline for what's good and bad traffic and then gives us visibility into that traffic as it changes because what was bad yesterday may be good today and vice versa,” he says. “When we take an action, we don't have to take steps to validate the intelligence. That's very valuable to us because my most precious resource is my people. I really can't have a highly paid security analyst spend several days scanning through logs to find some information about a threat.”
Clay (left) says that with Pierce Matrix, his firm can integrate threat intelligence into its SIEM and set rules to block and fully remediate a threat. “So it allows you to focus your strongest people on the top threats to your specific environment, while allowing you to use lesser skilled people to address the simpler threats based on the recommendations,” he says.
Rick Gordon, managing partner at MACH37, a security industry investor, adds that most companies don't have the expertise to do threat intelligence on their own.
“Too many companies can't afford to do it and those people don't exist,” he adds. Gordon says more companies and services will emerge in the months ahead that bring threat intelligence to midmarket companies that don't have security operations centers.
Zolper of Raymond James Financial, adds that whatever companies do, they need both good tools and qualified people. “I think you have to have both, constant drive for automation, as well as high-quality cybersecurity practitioners,” Zolper says. “Anyone with a budget can buy another tool and try the latest in threat intelligence management. But finding and retaining high-quality staff is a constant challenge.”
At Raymond James, he says, his team is fortunate to have dedicated threat intelligence analysts. “They work literally side-by-side with our SOC analysts and incident response operators.”
Zolper recommends looking for people with military backgrounds, many of whom were trained on the basics of cybersecurity and have the discipline to learn the business. While not every company will have the resources of a Raymond James or other financial sector companies, they can use feeds from a mix of sources and deploy new tools that turn over threat intelligence to the one or two people in the organization who have the skills to reverse-engineer and remediate a threat.
In the end, there's no magic bullet. Security managers may lament that they don't have the time or staff to learn yet another tool. But what's the alternative? Few companies can afford the cost of a serious breach.
Maximizing Value: Three Steps
Craig Lawson, research vice president at Gartner, believes that when companies can integrate the following three steps into a workable system they will get the most out of threat intelligence.
Acquire: Seek out the threat intelligence that's most valuable to your organization. Many organizations start out with an industry-led ISAC or a CERT, but there are also commercial providers and open source feeds to consider as well.
Aggregate: Start by asking: What is the blend of threat intelligence going to look like based on my vertical industry and geography? No one source or feed will meet all of an organization's requirements. The company needs threat intelligence that can mitigate different types of threats and threat actors, as well as handle feeds from all sources and file types.
Act: Threat intelligence only becomes useful if the organization can take action to reduce risk, improve detection time and incident response processes and protect its brand. Some may want to roll threat intelligence into a SIEM, while others look for ways to automate their intrusion prevention systems.
Using Threat Intelligence: Guard identities
Identity Guard, an identity theft protection service, knows that its subscribers – typically higher-income people in their 40s, 50s and 60s – have a lot to lose.
That's why they come to the firm in the first place, says Johan Roets (left), the company's president. His customers, he says, want a service that can protect them from a credit card or online banking breach.
Threat intelligence from LookingGlass Cyber Solutions has become an instrumental tool for keeping the identities of his customers safe, says Roets.
Identity Guard uses LookingGlass to search for anomalies on the Dark Web. It lets the company warn customers if their credit card, bank account or Social Security numbers have been compromised.
“Once we identify that credit card information has been compromised, for example, we then help walk our customers through a series of countermeasures,” Roets explains. “We help them work with the credit card bureaus and banks to cancel their old cards and get new ones.”
Roets says the threat intelligence technology also has an authentication alert capability that lets them notify a bank a few minutes to an hour before the actual fraudulent transaction takes place.
“This is very powerful stuff,” Roets says. “Social Security numbers get sold on the Dark Web for about $50 to $300,” he says, adding that Identity Guard can contact the bank and notify them to shut down the transaction.