[BreachExchange] An intelligence-driven approach to cyber threats
Destry Winant
destry at riskbasedsecurity.com
Fri Jun 7 06:15:16 EDT 2019
https://www.helpnetsecurity.com/2019/06/06/intelligence-driven-approach-to-cyber-threats/
In the age of big data, it is easy to think that only machines can
detect a signal amid the noise. While it’s true that big data tools
can discover signals that might not be obvious, they can also create
their own kind of noise in which the true signal — a true threat — can
be lost.
That’s a problem anyone dealing with traditional security monitoring
systems over the past few years has come to recognize. Threat
detection systems have become extremely good at detecting anything
that looks anomalous but, as the number of detected anomalies keeps
going up, the number of actual threats is still a small fraction of
those. Research indicates that less than 1% of reported anomalies
represented actual threats and figuring out which detected threats
constitute those dangerous few is exhausting, anxiety-inducing work.
The need for human, contextualized intelligence
What security professionals suffering from alert fatigue need is
threat intelligence that has already been vetted and contextualized by
human beings. Big data and AI tools provide an abundance of data and
they can identify events and activities of concern, but most security
professionals within an enterprise have neither the training nor the
time to make sense of the raw information. They need threat
intelligence that has already been sifted, analyzed and
contextualized, a “finished intelligence” that is “actionable” to
their organizations.
That’s where human intelligence professionals and threat hunting teams
come into play. These professionals detect a different kind of threat
than those detected by big data and AI tools. If machine tools excel
at detecting individual trees, human intelligence professionals excel
at understanding the character of the forest.
They can detect code phrases and double meanings in dark web
conversations that machine tools may not detect (until they’ve been
trained to do so). They can consider the motives of threat actors and
the connections that bind them. They can examine the actions of these
actors, even actions that are ostensibly benign, and occasionally
detect a plan in those activities long before a machine can detect an
exploit resulting from those actions.
Augmenting intelligence for a more focused response
I’m not suggesting that human intelligence professionals and threat
hunting teams replace the monitoring and detection systems. Instead,
they can augment and enhance the raw intelligence captured by these
powerful machine tools. Human intelligence teams can bring insight to
the interpretation of raw intelligence that no machine can. They can
connect clues with the glue of experience and contextual
understanding, which no machine yet does.
The challenge of acting on augmented intelligence
There’s one problem with gaining access to this kind of augmented
intelligence: few organizations are in a position to use it
effectively. The defensive infrastructure of most organizations is
still cluttered with old walls erected to stop older threats, and the
work of tuning those defenses remains a serious challenge.
Security personnel within an organization need deeper insight into the
hardware, software and services informing the organization’s
infrastructure. Finished intelligence is going to provide much more
focused information about which organizations are at risk, at which
points of vulnerability, and for what reason. A new threat may take
advantage of a vulnerability in firmware on a certain class of IoT
device, for example, but a security team can only act upon that
information if they know that they have those devices in their IoT
estate and at what release level their firmware is.
What enterprise security professionals need is a way to operationalize
this finished threat intelligence. They need tools that can provide
deep insight into the hardware, software and processes informing the
operational ecosystem of the enterprise, including its endpoints,
networks, clouds, IoT devices, supply chains and more. Moreover, they
need tools that can enable them to make changes to any element in that
ecosystem in a streamlined and orchestrated manner.
Better threat intelligence creates an opportunity for an enterprise to
mount a proactive cyber defense, but without an ability to
operationalize that threat intelligence, the enterprise may not be
able to launch the defense effectively in advance of the impending
attack. With tools to operationalize this threat information, an
organization can respond quickly and effectively to protect its
people, data and processes — even its brand and reputation — from any
emerging cyber threat.
Moving forward
An intelligence-driven approach to cyber threats requires movement on
two fronts simultaneously.
We need to continue to gather and analyze threat data aggressively.
Finished intelligence that has been vetted and contextualized by human
intelligence experts and threat hunting teams can be passed on to the
security professionals within an organization. The latter can then
proactively implement the appropriate precautions to protect the
enterprise against the real threats in the environment.
More information about the BreachExchange
mailing list