Digital Threat Intelligence Management Brings Better Signal and Less NoisePOSTED BY DAVID MONAHAN
Managing Research Director, Security and Risk Management
Enterprise Management Associates
Organized crime, rogue hackers, and nation-states are continually mounting attacks across the Internet. Nearly one billion personal records and just over one billion credentials were stolen in 2016, with similar statistics in 2017. Hackers are selling many of these stolen records across the dark web and other forums, offering most from as little as $10 for verified credit cards and personal information records, generating millions in illicit revenue. Fake social media accounts are being created at a breakneck pace to steal both personal and corporate identities and racking up more millions of dollars in revenue for the thieves. Fraudulent applications are popping up across all major app stores, generating even more millions in ill-gotten gains. The list goes on with the FBI reporting that annual losses in 2016 exceeded $1.3 billion USD globally, with the four-year total for related scamming reaching $5 billion USD globally. Thefts have reached epidemic proportions.
All of this activity falls directly into the purview of digital threat intelligence management (DTIM) solutions. DTIM is a specific term for the evolution of technologies that started out as threat intelligence feeds of the early 2000s, and has since evolved to include threat intelligence platforms. Threat feeds were volumes of information contributed and collected throughout the common Internet about potentially threatening activities. Feeds were fraught with problems. They were a caveat emptor situation. The information had virtually no quality control, so duplication of events was a huge problem. Events did not age over time, so much of the data became stale. There was no prioritization, filtering, or analysis of the data before it was sent to or picked up by the recipient. All of these issues formed massive data dumps that were only large organizations with the budgets and manpower to perform data parsing and analysis could use them.
Threat intelligence platforms were the natural next step. The vendors in this space saw the problems from data feeds. Concerned researchers, security professionals, and forward-thinking entrepreneurs collaborated to deliver better threat warning data. They recognized the operational difficulties of processing the data, so they created the platforms to deduplicate, filter, prioritize, and age out data to bring the data down to a much more manageable volume using commonly available processing and storage. They also incorporated user interfaces for searching and analysis. This huge change meant operations gained the ability to better interact with the threat data and were no longer dependent on scaling their SIEMs to use the data.
With improved analysis algorithms and the elasticity of the cloud, DTIM expanded the monitored content and took advantage of advances in data analysis and user interface design. Data was added to encompass deep and dark webs, as well as mobile and social media. With these improvements, DTIM now delivers only the purest distilled information as actionable results to analysts. DTIM also provides the opportunity to identify and stop data theft much earlier in the lifecycle. After a breach, the gap between the theft and detection is the most significant issue. In 98 percent of the cases, the compromise and theft take only minutes, while theft discovery takes weeks to months. To add insult to injury, the majority of thefts are not identified internally but by third parties, who then notify the victims that their information is out in the web somewhere. Forward-thinking organizations that are aggressively seeking to close that gap are investing in DTIM. The VDBIR estimates that only 25 percent of data thefts are motivated by espionage, meaning that at some point, up to 75 percent of stolen data can end up posted or sold in a forum or marketplace. A DTIM solution that collects data from common, deep, and dark web markets, social forums, site and domain information, and other nefarious repositories has a significant opportunity to reduce the dwell time for posted data from weeks to as little as hours.
Companies like ThreatQuotient are delivering proprietary technology to hunt for and identify pertinent information online. Whether it is intellectual property, brand infringement, domain squatting, or one of the many other forms of data violation, the ThreatQ platform is designed to locate and identify the infringement to reduce public data exposure and the associated negative impacts to brand and the customers’ bottom line.
ThreatQuotient was named a Value Leader in the fourth quarter “2017 DTIM Radar Report.” It was identified as being well-funded and having excellent financial growth with strong customer retention. It delivers outstanding integrations for data ingestion and export to and from other tools, combined with an excellent GUI to aid analysts in their investigations. ThreatQuotient also has very good integrations for automating response with internal security systems after breach discovery. The ThreatQ platform is innovative and offers a plethora of benefits for numerous use cases that include not only breach investigations, but also threat hunting and profiling, victimology, security mitigation, and advanced analytics and reporting, making it a strong addition to any serious security shop.