‘Threat intelligence’ is a phrase that’s being bounced around in the security industry quite a lot at the moment. It is clear from the high profile breaches in recent months that cyber security within enterprises is not where it needs to be, but is threat intelligence the key?
It has turned into quite a controversial debate, with many touting that it will do very little to improve cybersecurity. On the other hand, there are clear advantages.
These differences in opinions have resulted in some misconceptions emerging, so what exactly is ‘threat intelligence’ and how can it be used to improve the state of cybersecurity in the UK?
- Misconception: Intelligence feeds will do very little to substantially improve cybersecurity.
Truth: Collective threat intelligence ensures that when a breach or particular attack is detected in one organisation, this information can be shared among others. Cyberattacks are proliferating as such a rapid rate that traditional only real-time intelligence that is shared will result in better cybersecurity – you can no longer wait for an update to be pushed out 24 hours later, it needs to be almost immediate. By leveraging everyone’s encounters with malicious activity, you improve security for the group.
- Misconception: Most organisations do not have the human resource required to make use of these tools
Truth: As security has advanced it has become more complicated, increasing the number of data points for security teams to search though. This drains resources and detracts away from the real threats because resources are too focused on small events that pose less of a risk to the business. Threat intelligence is about sharing the right information so the biggest threats can be identified easily and mitigated as quickly as possible.
- Misconception: Organisations just need to know they are protected, they do not need to know the details of an attack.
Truth: Although protection is the number one priority, organisations should have the ability to look at the granular details of an attack because this will improve the response time in future. Unfortunately, breaches will happen, so it is about reducing the time taken to respond by understanding previous events and where the organisation is vulnerable. This means time can be better spent mitigating the problem and alerting those affected.
- Misconception: Threat intelligence vendors guard their research to the detriment of the wider community
Truth: Although companies share data with one another, they are also competitors of one another and often cherry pick which data is shared, keeping the data they know is most valuable private. However, sharing some information is better than not at all and organisations such as CiSP, which is part of CERT-UK play an important role in anonymising and mediating the data. Vendors have also realised the benefits of anonymously sharing threat intelligence sharing between clients, so if an attack happens in one organisation, other users are protected.
- Misconception: At its best, threat intelligence might provide occasional protection from attacks. At its worst it’s an expensive source of information that has little impact on security.
Truth: The issue is that we cannot afford to stand still when it comes to cybersecurity. Attackers are constantly innovating and sharing threat techniques and we need to be doing the same. Operational threat intelligence - data that can be consumed by security solutions as opposed to consultancy - is advancing, making it far easier to use and accessible to organisations of all sizes.
Like the term ‘big data’, threat intelligence is at risk of becoming just another buzzword, a collective term for security tools – some of which do little to improve security. But delving into what threat intelligence is, the benefits are clear and it will be a vital tool in the enterprises’ defences. It allows organisations to be far more flexible and adapt to the threat landscape as it changes. This enables security teams to be far more proactive and focus on what is important.
In a time where data breaches seem to be hitting the headlines almost weekly, with big names such as Mumsnet and Ashley Madison suffering, being flexible and able to respond to a breach quickly is crucial.
Grayson Milbourne, security intelligence director at Webroot