Not all cyber information is created equal

The cybersecurity market is crowded. Most businesses are striving for increased cyber confidence or capabilities, yet the security product landscape is vast, complex and dynamic.

This can lead to confusion in purchasing decisions, leaving many organisations feeling burdened with inflexible IT security architectures that deliver little return on investment. Moving away from traditional security is one step as it has a tendency to look inwards and focus on the risks from internal networks, employees, cloud-based applications and workloads.

Organisations instead need to look outwards because, in the digital age, the data within an organisation’s perimeter is only a tiny subset of the picture an attacker can build about their target. A company’s digital footprint now includes a changing set of details shared across the extended enterprise (employees, suppliers, customers, outsourcers) in published data, social media and numerous links to and from third-party websites.

As businesses increase their security maturity and capability, they should be developing an ‘attacker’s eye view’. This means working towards a proactive understanding of hacking techniques, tactics and procedures. Suspicious activities as well as known attacks can now be traced back to their source, while dark web chatter can give a real insight into any attacker’s perspective of their targets.

With the right skills and technologies in place, an organisation can correlate this ‘in the wild’ intelligence with data from its own infrastructure to assess its vulnerabilities and develop faster, more effective threat prevention and incident response. But how can an organisation assess the available data sources and evaluate which will provide something meaningful for the business?

Mining the myriad of data sources

Firstly, an organisation should consider how it uses the cyber intelligence from its own network, gateways and security devices (firewalls, sandboxes, intrusion detection/prevention systems etc). How to use alerts from internal systems (domain controllers, directory services etc) and the growing number of endpoints and SIEM systems must also be considered. This data can be correlated and analysed by cyber specialists to flag unexpected behaviour.

If selected and used in the right way, machine-orientated external sources can also enhance the detection and protection capabilities of a cybersecurity team. Some new solutions on the market use machine-based learning to establish baselines for normal behaviour and look for deviations from these, alerting on suspicious patterns that would otherwise remain unidentified.

However, these can also give an inaccurate or incomplete view and the value and content can vary dramatically. Companies should evaluate these sources carefully and, most importantly, add them to human enrichment capability to eliminate false positives and focus on what really matters to the business. Then there is the growing source of valuable intelligence, ranging from places such as National Computer Emergency Response Teams (CERTs) and Information Sharing and Analysis Centres (ISACs) to less structured industry-specific sources and sponsored threat exchange environments.

Quality over quantity

Businesses must however understand that not all cyber information is created equal, with industry voices voicing caution over the risks of adding irrelevant data. High performing cybersecurity requires a brutal focus on context to minimise unwanted results such as slowing down business by blocking legitimate traffic, or shutting down critical systems.

Business analysts who look at patterns to inform decisions about profitability and growth have highly specialist skills, experience and often qualifications. 

Likewise, to maximise the value of cyber intelligence solutions, firms may need to review the skills and resource allocation of their information security teams. The SANS Institute survey confirmed that even organisations committed to cyber intelligence may have just one person allocated to this task. But one full-time employee, no matter how skilled, cannot be responsible 24/7/365 for the human enrichment needed to interpret cyber intelligence in context and make real time recommendations. 

As well as assessing and evaluating new and innovative technology solutions, this resourcing constraint is why some organisations may look for partners to help achieve and maintain the right levels of contextual cyber intelligence, integrating this with the right resources to respond to an incident in real time. 

The attackers will not stop and nor must organisations stop in predicting the next cybersecurity threat.

Dave Polton, Chief Security Architect at NTT Security

Image Credit: Pavel Ignatov / Shutterstock