IT security has become an important aspect of corporate success in companies. That’s why decision-makers should take proper care of security in conjunction with threat intelligence.
Gartner advises companies to first optimize their existing security solutions and processes before adopting new protection mechanisms. The analyst speaks of the “Adaptive Security Architecture“, which are no longer solely on the defense (Respond) and the detection (detect) of cyberattacks, but to value the prediction and active management of incidents.
With a sophisticated threat intelligence strategy, many hacker attacks can be prevented in advance and thus increase IT security in a company.
This idea is becoming more and more important as the IT landscape is wide-spreading rapidly. Expenditures in digital technology and thus also in protection mechanisms are getting bigger and bigger. Recent studies show that the number of connected devices will increase from the current 28 billion to an estimated 50 billion by 2020. The number of networked people will increase from today’s 2 billion to 6 billion by 2020. This means that both the attack surface offered by the network and the attack surface that the human being represents grow larger.
Added to this is the staffing problem. It is estimated that the security labor market will be missing 1.5 million professionals by 2019. For IT departments, this means that even with higher salaries they can only find a limited new staff to handle the increasing number of devices and incidents.
Garnter also addresses the areas of Predict and Prevent, as well as speaking on a total of 12 security architecture capabilities. Implementing all this requires not only the right tools and specialists, but also the right strategy for managing and coordinating security operations. Even today, there are 328 simultaneous violations in each company – based on the length of time it takes for a data breach to be detected and the average number of reported incidents.
While the motivation of most opponents is financial (stealing information such as credit card numbers, patents, and secret information that can be sold on Darkweb), hacktivism, cyber warfare, and cyber espionage are also grounds for attack.
Because the issue is so blatant, executives should not leave the departments alone, but should also ask themselves how they can gain effective insight into the large volume of data from security incidents and help identify and prevent the next attack. The goal must be to properly set up and prepare your own IT security teams.
Data mining and threat intelligence
Every security incident worldwide delivers hundreds of Indicators of Compromise (IOCs). They may be related to victim’s host evidence (such as malware type, filename, hash file, and registry key), but also to the malicious link’s communication paths (such as IP address, domain name, URL, and port numbers). , Both host-based and network-based IOCs indicate a possible intrusion into the network.
The problem is that the data is not always linked, and an enormous amount of data has to be searched. Having four Threat Intelligence, which also provides only 300 indicators per day, means that you get at least 500,000 indicators per year. IT professionals do not have the time to examine them all and put all the information into the existing security tools (IPS, firewalls, etc.). In the end, this can lead to tons of false positives and poor performance.
The input from threat intelligence providers is enormous because they are trying to respond to the changing threat landscape. There are also open source projects and public sources that analyze IOCs and publish threat feeds. Each vendor adds a piece to the puzzle to best depict the current threat landscape. The problem is that organizations need to integrate and harness that knowledge.
As a result, the industry introduced Threat Intelligence platforms to bring all parts together in one location, providing a complete picture of the threat. The Threat Intelligence platform automates uptake, correlation, normalization, and deduplication, serving as the single source of truth for all teams and systems within the organization. It becomes the tool to gain data that will help understand threats, add context to perform analysis and investigation, and leverage information from a company’s processes and tools.
Detect, evaluate and prevent threats
The first step in such a platform is the implementation of available information in executable security intelligence, so it is about the correct implementation of defensive measures. So you can reduce the susceptibility by classification. For example, take the following attributes in a platform:
- Malware family
Now, through classification, you can leverage existing knowledge about the Threat Platform to see if it is a threat to your own business. It is important that such a platform allows granular criteria as possible. On the one hand, these should relate to personal characteristics of their own users (such as age, owner, user ID), but other factors such as Common Vulnerabilities and Exposures (CVE), OS or brand of the device.
They can not prioritize their actions because they are not relevant to their own company. Using an appropriate threat intelligence platform helps to assess and automatically prioritize threats. An important point is that organizations have very different business activities, security operations, and risk profiles. Therefore, evaluation and prioritization based on parameters that are particularly important. These include the indicator types (IP address, malware type, host-based vs. network-based, etc.) and the indicator source (open source, commercial, industry-based, and internal sources, such as your SIEM and ticketing systems). ,
Although there is a lot of general information, it needs to be put in the right context. Therefore, it makes sense to use appropriate analysis tools. The methods can be compared to the wildcard in “Who Wants to Be a Millionaire”. For example, the public lifeline where the audience needs to answer is basically crowdsourcing. Security suites are used to check software. If malicious code is detected there, this know-how is made available. In particular unusual cases, for information enrichment, a particular provider may be added as an expert (or phone a friend lifeline) to provide support for this type of attack.
Another method is link analysis, which determines the relationships between criminals, transactions, objects, servers, IP addresses, and specific malware families. All methods aim to make the work of security teams more efficient and to improve connections with technology and tools.
After the analysis, the bundled information must then be automatically exchanged with the existing security tools – without overloading your own security teams. For example, it’s about making your own firewall smarter and aware of any threats.
Threat intelligence becomes mandatory
The value of the threat intelligence market will exceed $1 billion next year. Basically, Threat Intelligence is all about supporting companies’ security and defense strategies. Especially in larger companies dealing with threat intelligence will become increasingly important. Accordingly, the personnel expenses and the budgets grow. To keep these investments from going nowhere, management boards should look at the issue and provide the right tools to their professionals.
A Threat Intelligence platform should bundle the existing information from public & commercial sources and enrich it with additional information from an analysis. Such a platform allows the management of threats, even before an attack. When a threat becomes known, IT managers can immediately assess the threat level, putting them in a much better position to fend off attacks.
Threat Intelligence empowers IT departments to develop a proactive cybersecurity approach. With more than 5,000 new vulnerabilities and 400 million malware variants emerging each year, organizations must be proactive in their commitment to the future and beyond.