Posted March 7, 2016
By AJ Shipley, VP of Product Management
Last week was the annual RSA security conference in San Francisco, CA – one of the industry’s largest IT security events. After walking the conference floor and listening to the overwhelming number of vendors that claim to offer all things Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations make inform decisions regarding their response to the threat., I’d like to dispel some misconceptions and myths that are being pushed on our industry about threat data and threat intelligence.
Threat data is not the same as threat intelligence. I repeat, threat data is not the same as threat intelligence! What many vendors claim is threat intelligence is really just a bunch of data about potential threats.
We previously defined threat intelligence as: the combination of technical and contextual information regarding existing or emerging threats from all available sources. It has been evaluated and analyzed for accuracy, timeliness, and relevancy, and implemented among an organization’s tactical, operational, and strategic stakeholders.
While you cannot derive threat intelligence without threat data, that doesn’t mean that all threat data is, or can become, threat intelligence. The difference between the two is that threat intelligence requires context that creates relevancy to a particular organization or industry.
Let me provide a few examples that will illustrate the difference:
Threat Data: The two – three million unique infections that the LookingGlass Virus Tracker global sinkhole network identifies every single day
Threat Intelligence: Of those two – three million infection records, the five new infections on your network – or on one of your supply chain vendor’s networks – that contacted one of the LookingGlass sink-holed domains in the last hour
Threat Data: The 10,000+ new domain names created in the last 24 hours that are hosting Malware: Software that is intended to damage or disable computers and computer systems., stealing credentials as part of a Phishing: The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. campaign, or are an active Command and Control (C2) server
Threat Intelligence: Identifying the 10 devices on your network that accessed one of those 10,000+ domain names in the last 24 hours
Threat Data: The 20,000 social media, deep and dark web, and open-source threat intelligence (OSINT) posts that mentioned your company name in the past 24 hours
Threat Intelligence: Out of those 20,000 posts, the three from a known threat actor that mentioned targeting your organization’s executive staff or the physical location of one of your corporate facilities
Threat Data: The 10,000 new phishing sites that were created in the past 24 hours
Threat Intelligence: Finding the one webpage that looks exactly like your legitimate company webpage, but is really a maliciously intended and unauthorized use of your brand attempting to phish your clients or customers
I think you get my point. Transforming threat data into threat intelligence happens when trained analysts with detailed knowledge of your network IP space and a comprehensive understanding of how threats target organizations apply that context to your organization. They help determine what is a relevant threat and what you can or should take action on.
LookingGlass’ detailed knowledge of your global Internet IP space and our ability to correlate that with your internal network telemetry applies context that creates relevancy. Our team of trained threat analysts is fluent in over 20 foreign languages and sits in the deep and dark web forums where threat actors exchange stolen credentials and discuss their upcoming campaigns. They find what is relevant to you and provide actionable threat intelligence.
Whether you are just getting started with integrating threat into your security posture, or have a mature security program, the services required to take down malicious sites; augment your existing staff; and continuously monitor your network, people, and organization for the threats targeting them, is what differentiates LookingGlass from every other “threat intelligence” vendor in the market.
Combine that with our ability to mitigate threats on your network with our comprehensive portfolio of network security appliances for operationalizing threat intelligence, and you quickly understand why our customers call doing business with us “The LookingGlass Advantage.”