“Threat intelligence” is a critical element of any security operations program. Over the past few years, the discipline has exploded, with some larger organizations forming fully-fledged threat intelligence teams which operate in tandem with the SOC and feed into overall organizational risk management. Smaller companies, on the other hand, have had to make due with patchwork teams, where employees from across security, operations, and IT are assigned or volunteer to add threat intelligence duties to their role. Regardless of the size or scope of a business’s threat intelligence program, each one requires data to function. Enter: the threat intelligence products market.
As recently as last year’s Black Hat conference (2016), the expo hall was peppered with companies pitching themselves as “threat intelligence solutions.” Fast forward a year and largely that messaging is absent. This year, the focus was significantly on machine learning, automation, and orchestration—the next wave of the security hype cycle. Does that mean, though, that threat intelligence as a discipline is dead? Absolutely not. Threat intelligence remains critical, but it’s just not what the vendor market has been touting over the last few years.
One more indecent accident
First things first: Threat intelligence isn’t a tool. It doesn’t come in a box. And there’s no easy button that we’re all wishing for (in life as well as security). The threat intelligence tools market evolved because end users were hoping for a “single pane of glass,” something that would make security teams’ lives easier when it came to identifying indicators of compromise (IoC). This all-in-one solution would thus allow administrators to tune controls to more proactively defend against threats.
It all sounds very promising on the surface. However, many of the threat intelligence tools initially offered by vendors were data collection and aggregation models: technologies that could identify vast quantities of external data about threat actors, tactics and technicians, plans and motivations, tools/”weapons”, and other data that supply situational awareness. Perfect! Who wouldn’t want to know Michael Myers is loose in her or his town? The problem with this picture, though, is that Myers wasn’t interested in slaughtering the whole neighborhood; he had a particular set of targets in mind (teenage girls). Other casualties occurred along the way, for certain, but this happened when those targets just happened to cross the psycho killer’s path.
The attack progression sounds suspiciously similar to many cyber attacks (complete with creepy mask), doesn’t it?
I’d rather leave than suffer this
It’s not that data from threat intelligence tools is useless, says Paul Asadoorian, Founder and CEO of Security Weekly and CEO of Offensive Countermeasures. It’s that commodity threat intelligence “is data from activity that’s happening outside of your network, which doesn’t necessarily mean you have bad stuff in your network,” he explains. Situational awareness is all well and good, he continues, “but it’s not your situation. You need to be focused on what’s happening in your company, your network instead of chasing what might be.”
The key to this, he advises, is baselining—understanding your own environment, your own tools, the data your organization maintains and the level of associated sensitivity; defining workflows and policies; learning “normal” user behavior. It’s (once again) back to security basics. Asadoorian say that while understanding the greater threat landscape is important, understanding your own threat landscape is a must. Applying data backwards by knowing what’s going on outside the four walls of your datacenter or the innerworkings of your network then trying to apply what you’ve learned to what’s actually happening or what’s truly pertinent is an exercise in futility. The key is to first understand internal telemetry, then comprehend external threat data, and finally cross-reference the two. Chasing the external threat without any reliable indication that it’s potentially aimed at your organization will only lead to false flags, frustration, and fallow financials.
All this time to make amends
Tools vendors—at least the lasting ones—started to realize this shift in customer needs and adapted. End user security budgets aren’t infinite, after all (thus the dearth of “intelligence” messaging at recent conferences). “Companies began to realize they needed to supply insight to internal network, to be the ‘dashboard’ for anomalous behavior, and provide some kid of risk scoring,” says Asadoorian. Otherwise, it’s just more data on top of a pile of data that organizations’ tools are already producing. Some of the evolved threat vendors now offer automated correlation across tools, which saves analysts heaps of time and effort. Hence, the emergence of the 2017 security con buzzword: Orchestration.
Now and then I’ll try to bend
Be forewarned: there is no one tool to rule them all, and if a vendor is trying to sell you this snake oil, walk the other way. In fairness, it’s inevitable that when a new category of security tools emerges curiosity is piqued. And cyber threat intelligence was that great hope just a few short years ago. Now, however, organizations are starting to realize that threat products are (at a base level) another tool in the arsenal, one that needs to be managed and maintained, tuned and updated over time, and integrated into existing workflows. Security practitioners will always need to be, at their core, administrators. While experience and skill grows, the fundamentals still apply; if your organization isn’t attending to them, no amount of fancy dashboards and promises of machine learning are going to stop the attacks. The human element will never be automated out of security—it’s too complex. That said, don’t expect any one tool category to solve your problems, especially if it sounds too good to be true on the show floor.
To learn more about what threat intelligence can do for your organization, mark your calendars for our Threat Intelligence Summit taking place in Austin, Texas from November 29-30.