The term “threat intelligence” seems to mean a lot of things to a lot of people. During my two days at the SANS Cyber Threat Intelligence Summit in DC last week, I heard many questions from the audience that reflected a general state of confusion around vendors in the threat intelligence space. Fortunately, speakers and other attendees were able to shed some light on what these companies do – and what they don’t do. Some threat intelligence vendors provide a feed from a range of sources. Other vendors are feed aggregators (similar to how SIEM vendors aggregate event data).
But for all vendors in this space, collection and analysis is the name of the game. Threat intelligence aims to improve the incident response process with deep contextual information that enables better decision making and shortens response times. There’s a strong focus on “threat actors,” real-time displays of data, and integrations with other security systems like SIEM and IDS/IPS.
IS EXTERNAL THREAT DATA ENOUGH? Most conversations about threat intelligence focus largely (if not purely) on external threat data: spam traps, honeypots, social networks, botnet connections, etc. At this particular summit, it was refreshing to hear multiple speakers and attendees address the fact that external threat data must become better aligned with internal threat data – aka vulnerability data. Rick Holland, a principal analyst at Forrester Research, mentioned that real-time threat maps are certainly cool, but offer little value on their own. Without internally collected data, what we conventionally think of as “threat intelligence” does not give organizations enough context to prioritize the threats that are important to them.
SO WHAT? How can you quantify the inherent risk behind a piece of external threat intel in order to make it actionable? According to my colleague Andy Rappaport, Chief Architect at Core, companies must ask “so what?” and understand the downstream risk – there is a network effect at play here. Consider not only the assets directly threatened, but any asset (e.g. system, person, network) with which they are connected or related. Hackers will take the initial breach/exploit and pivot their way through vulnerabilities and security weaknesses until they get the data, control or identities that are most valuable to them – and important to your business.