Threat Intelligence Blog

Posted January 31, 2018

In 2017 we continued to see a stream of security vulnerabilities that were exploited and a host of intelligence reports that described data breaches and other harmful cyber attacks on business processes. As with every year in the past, most industry experts will tell you that this trend is more than likely to continue throughout 2018.

How do we change this trend?

To interrupt this trend, we must understand where our industry struggles. Here are some thoughts on the key challenges our industry currently faces and how we can overcome them.

Industry Challenge #1: Knowledge Gap

We are all well aware of the cybersecurity skills gap. However, the number of qualified people available for hire does not address one of the core issues that creates the knowledge gap. Instead of vendors developing technologies that are easy to deploy, maintain, and integrate with existing security environments, they are introducing proprietary technologies that require expert knowledge to use.

For example, we continue to see a proliferation of threat intelligenceThreat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations make inform decisions regarding their response to the threat. feeds without standardization on how and what data can be collected, what data model and properties are shared across vendors, what semantic content within those data feeds are important to convey, and ultimately how the data must be interpreted and acted on.

Threat intelligence data normalization and standardization must be embraced.

New standards, such as OASIS STIX/TAXII 2.0 that introduce common schema and methods to access that data are good progress but insufficient to completely address the challenges. Vendors and customers alike must engage with each other to increase what data is collected, conveyed, and how it can be interpreted.

Our industry also needs to standardize metrics and quality measurements across security products and in particular threat intelligence feeds. There have been several attempts to measure coverage of intelligence feeds as well as the overlap of those feeds. However, there is no standardized methods applied to measuring either the comprehensiveness of an intelligence feed or its applicability to a specific industry or customer impacting environment.

As co-chair of OASIS STIX/TAXII 2 Interoperability sub-committee I am striving to increase industry adoptions of standards and, more importantly, standardization on interpretation and use of the data for business use cases. This effort will go some way to improving the focus on quality and measurement of threat intelligence-based products. I would encourage you to also get involved.

Tips

  • Threat intelligence and other security telemetry data quality must be increased and proven. It is no longer sufficient to state ‘we have great data’. Vendors must adopt standard practices.
  • Machine enrichment of security telemetry data must improve how robustly the data is collected and how deeply data can be analyzed and correlated with other relevant factors.
  • Working in silos must change towards a more integrated, collaborative environment.
  • Machine enrichment is an important capability but insufficient. Products and services must embrace the combination of human enrichment of machine enriched data collection and analysis.

Industry Challenge #2: The Need for Impactful Integrations

Industry partnerships continue to be announced but why does the adversary continue to advance?

Adversaries (e.g espionage, cybercrime, hacktivists) may target anything from a business segment or market, a specific organization, a specific individual, or a broad technology vulnerability that impacts across all of those areas.

Threat Intelligence Platforms (TIP) provide visibility into these adversaries and the results of their actions, attempting to bring together a global perspective on threats, TTPs, campaigns, malwareMalware: Software that is intended to damage or disable computers and computer systems., and a host of other related context. We have seen an increase in sharing communities that leverage these platforms, but we continue to struggle on how those platforms or the information they provide can be integrated and leveraged beyond the platform itself.

Organizations need systems integration of threat intelligence in such a manner that the intelligence can be trustworthy and made actionable directly with other security systems such as firewalls, IDS, SIEMs, etc. Standards around data formats exchange such as STIX2 can help, but again are insufficient if the use cases leveraging those data feeds do not have all relevant context to act on them without human augmentation.

Consistent, normalized scoring and categorization of what intelligence represents continues to be a missing element of both STIX and many proprietary data feeds. Without this, organizations must look to understand what each vendor’s scoring mechanism represents and build customized integrations across their own security ecosystem themselves, or with help from their vendors. It becomes both costly and error-prone to build such integrations when more than a single vendor is involved.

Secondly, while developing standardized command and control language that can drive security automation is starting to be addressed by the OASIS OpenC2 efforts, we will continue to see the same challenges that the STIX2 standards has around the lack of higher value integrations that are applied consistently across all vendors that implement the OpenC2 standards.

Tips

  • Threat Intelligence Platforms should be more than just visualization/sharing platforms.
  • Sharing will continue to increase but as sharing increases so will the need to handle the data in more mature ways to ensure that relevant and quality data is actionable (i.e. avoid data overload from sharing).
  • Security orchestration must move towards policy and management of mitigation across multiple tiers and multiple products in the security infrastructure.
  • Threat Intelligence Platforms will eventually have the same problems as SIEMs (i.e. lots of data and limited value/action), that is they won’t become an actionable part of a security operations team process unless they tackle higher level operational challenges than simple aggregation.

Industry Challenge #3: Making Sense of Global Threats

Many threat intelligence providers share data feeds gathered from the Surface, Deep and Dark Web sources. A key challenge for most organizations is turning this intelligence into something more meaningful so that it can become relevant to an organization’s specific concerns or security posture.

Most organizations need help relating that global perspective to their perspective

Our industry must strive towards providing solutions that can give our customers an integrated view of a their security. Integrated solutions that automate and protect customer networks with real-time intelligence and response will become increasingly important. It will no longer suffice to just block threats. Adversaries are sophisticated and agile in the manner and methods executed against their targets. Security defenders must embrace agility and methods that allow faster and more sophisticated response to threats.

Feedback loops/closed-systems that provide real-time information associated with analytics, threat intelligence, and human prioritization will have tangible impact. The feedback on effectiveness of threat response will allow organizations to increase the quality of the actions that are taken.

Security analytics broadly refers to techniques applied to determine a higher level of understanding from raw security data. Analytics has the potential to reduce false positives and increase the ability to act on the analytical outcomes determined from the data in automated systems that require minimal, or zero, human involvement.  However, when analysis is not structured (e.g. supervised) or focused on specific outcomes, the results can be erroneous mitigation actions that impact the business negatively and potentially undermines the trust in the security organization and capabilities.

There are many approaches to data enrichment and analysis without necessarily applying machine-learning that can add significant value on top of raw data aggregation.

When combined with machine-learning techniques (e.g. supervised learning; unsupervised learning, and reinforcement learning), where the machine can determine new patterns and anomalies in data that may otherwise not be discovered by the human analyst, security analytics has a significant potential to increase both accuracy of security operations and ability to scale the limited human assets within an organization.

Tips

  • It is vital to focus on real-time integration between threat intelligence and security response systems.
  • Identify approaches and techniques that incorproates machine-learning into security automation.
  • Leverage verified and quantiafiable threat intelligence as inputs to avoid poorer quality data feeds causing significant false positives.

In Summary

2018 promises to be a pivotal year for security response to cyber threats. By focusing on standardization and automation of threat responses, our industry can start to get in front of adversaries instead of playing catch up. Addressing the challenges I outlined in this blog will help reduce risk and increase protection against cyber attacks.

If you would like to learn more or provide feedback on this blog feel free to reach out to me on Twitter (@tweet_a_t), or contact us here.

Additional Posts

Weekly Threat Intelligence Brief: January 31, 2018

This weekly brief highlights the latest threat intelligence news to provide insight into the latest ...

Is Your Digital Presence Safe from Cyberstalkers?

With the world’s increased use of the Internet, stalking doesn’t just mean the physical act ...