Unfragmenting Security with Threat Intelligence
Written by Anthony Perridge, Regional Director, ThreatQuotient
It has often been said that complexity is the enemy of security. It is a simple statement but, nonetheless, one that holds true time and time again. The more complex your infrastructure, the more likely it is to have seams with exposed vulnerabilities. This is exactly what hackers are looking for, places where people and processes are not perfect and something is left unprotected.
In my last article I talked about how defence-in-depth and layering defences so that if one does not work, another layer is there to stop the attack. This has not always been the saviour we thought it would be. This stems from the fact that each layer of defence has been a point product; a disparate technology that has its own intelligence and works within its own silo, creating fragmentation. And, since this creates complexity, it stands to reason that to combat the enemy and improve security we need to reduce it. But how can you begin to unfragment something that is already out there in many pieces? To my mind the best way is to find the glue to put things together. This glue comes in the form of threat intelligence, integrating layers of point products within a defence-in-depth strategy to reduce it.
But this isn’t just a problem with defence-in-depth. You also see it in your external threat intelligence feeds and across the different teams involved in maintaining your security posture. Let’s take a closer look at the fragmentation that exists in these areas and how threat intelligence can help. A study by the American university, Carnegie Mellon, analysed the blacklist ecosystem over an 18-month period and found that the contents of blacklists generally do not overlap. In fact, of the 123 lists (which each included anywhere from under 1,000 to over 50 million indicators) most indicators appeared only on a single list. It’s no wonder there’s a huge data overload problem! The study goes on to say, “our results suggest that available blacklists present an incomplete and fragmented picture of the malicious infrastructure on the Internet, and practitioners should be aware of that insight.” But don’t just take their word for it; the 2015 Data Breach Investigations Report commissioned by Verizon came to a similar conclusion noting that “there is a need for companies to be able to apply their threat intelligence to their environment in smarter ways.”
In an attempt to get the best coverage as they build their threat operations, most organisations are typically forced to use multiple data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors – each in a different format. Lacking the tools and insights to automatically sift through mountains of disparate global data and aggregate it for analysis and action, the data remains fragmented, often does not have context and just becomes more noise. The path to threat intelligence begins with aggregating that external data into a threat intelligence platform (TIP).
Nevertheless a TIP needs to go further than simple aggregation. It must also operationalise and apply that intelligence as the glue to reduce fragmentation. With global data in one manageable location, it needs to be translated into a uniform format, and augmented and enriched with internal and external threat and event data. The correlation of events and associated indicators from inside your environment with external data on indicators, adversaries and their methods, allows you to gain additional and critical context in order to understand what is relevant and high-priority to your organisation. Now you’re in a position to utilise that threat data, automatically exporting and distributing key intelligence across all the different layers of defence in depth to improve security posture and reduce the window of exposure and breach.
So how can you deal with the fragmentation across teams? Well, the key here is to find a way to use that threat intelligence for better decisions and action, and this can often be a challenge in siloed organisational structures. You might have a SOC (security operations centre), a network team, an incident response (IR) team and a malware team. More often than not, they don’t even work together, let alone share information or intelligence. Forced direct communication isn’t often effective, so how do you get those teams to work together in a way that makes sense? By offering a single repository for all threat intelligence that is contextual and prioritised, you can foster much needed collaboration without them necessarily even knowing it. With the ability to add commentary and store data for longer periods of time, the repository can become a core component of their processes. As the different teams use and update this repository, there is instantaneous sharing of information across other teams, resulting in faster, more informed decisions.
Taking this a step further, by integrating that repository into other existing systems – including, but not limited to SIEM, log repositories, ticketing systems, incident response platforms, orchestration and automation tools – you will allow disparate teams to use the tools and interfaces they already know and trust and still benefit from and act on that intelligence. For example, the IR team uses forensics and case management tools. The malware team uses sandboxes, the SOC the SIEM and network team uses network monitoring tools and firewalls, and this is just the beginning. By getting consistent intelligence directly from the repository that they have been working in and updating collectively, everyone operates from a single source of truth, reducing fragmentation and complexity so they can accelerate detection and response.
I am in no doubt that complexity is the enemy of security, but this doesn’t have to mean that you are entirely helpless. The enriching of threat data from all your external and internal sources with context, relevance and prioritisation, allows threat intelligence to become the vital glue that reduces the overall fragmentation across your security environment. By reducing this complexity you can ensure that your teams can work together with their existing tools to keep your organisation safer.