Takeaway from Vegas: Threat Intelligence is MaturingPOSTED BY CHRIS JACOB
If you have anything to do with cybersecurity, chances are you were in Las Vegas earlier this month for Black Hat. In fact, I probably spoke with many of you. I had the opportunity to meet with a range of organizations – commercial enterprises, government organizations and other security vendors. One thing that struck me is that threat intelligence is maturing.
“Intel” was once considered the exclusive domain of government organizations. But, increasingly, the commercial world is embracing threat intelligence and working hard to figure out what it means and how to use it effectively. Right now the focus seems to be on Indicators of Compromise (IOCs) which is understandable since security vendors are pushing that concept hard and the ability to identify IOCs is critical to identifying threats. But IOCs aren’t the end game. Focusing exclusively on IOCs is like trying to fight crime based on a partial fingerprint. IOCs are just one aspect of threat intelligence; there is a lot more data to consider.
As you start to add more threat intelligence feeds to fill in that fingerprint you’ll quickly see that you need help managing the massive volumes of data. That’s where a threat intelligence platform (TIP) comes in.
At its most fundamental level a TIP helps you manage and make sense of millions of data points and IOCs from commercial and open source intelligence feeds. But it lets you do more than that. You can overlay that data with intelligence from across your infrastructure to quickly discover trends or suspicious patterns. This takes threat intelligence to a new level – not just identifying individual points of data, but also tracking adversaries and identifying common tactics and techniques for greater situational awareness.
This meta-level of intelligence, in turn, produces better atomic-level IOCs which make the bigger picture, the overall fingerprint, clearer and thus more valuable.
A TIP can automatically feed these high-risk indicators into your existing defenses – firewalls, intrusion prevention, anti-virus, endpoint products, etc. – for better protection.
You can be sure that adversaries are gathering as much information as possible about their targets in order to increase their chances for success. A TIP lets you do the same – providing a complete fingerprint so you are better equipped to fight cybercrime.