Threat Intelligence – Why it is the fuel that powers cyber defenses

By Michael Xie

For anyone reading the news regularly, it’s not hard to grasp that cyber threats are getting more sophisticated and damaging by the day. From a security technology provider’s perspective, I can add that tackling them is a fast mounting challenge for the millions of businesses that come under attack daily.

Modern cybersecurity technologies – assuming you have already put in place the right professionals, policies, and processes − are a must. But organizations deploying them need to look beyond the boxes that sit on their racks.

What underpins your security appliances is invisible, but plays a pivotal role in ensuring that those boxes block the threats that imperil your business. Threat intelligence − or more specifically, the security appliances’ ability to know the ins-and-outs of the evolving threat landscape and then respond to them appropriately – is the fuel that powers your cyber defenses.

Getting timely, accurate and predictive threat intelligence is much tougher than it sounds. It calls for a robust security team that includes a focus on threat intelligence. This encompasses several components:

  1. Divide and conquer − In many aspects of business, large teams equate to large outputs. When trying to outsmart well motivated cybercriminals, however, following conventional wisdom seldom works well. In my experience, an effective IT security group should be made up of a number of security specialists, with each dedicated to a particular type of threat (ransomware, phishing, multi-vector attacks, etc.) or network segment (data center, web, cloud, IoT, endpoint devices, etc.) The security landscape is broad, and along with increased job satisfaction, encouraging specialization boosts competency and efficacy − leading to the faster discovery of threats, more frequent identification of sophisticated threats that might have previously been overlooked, and closing the time gaps between compromise, discovery, and response.
  2. Stay fleet-footed – Your threat team members must be nimble. The threat landscape is highly dynamic, changing by the day, or even hours and minutes. Your security must be able to adjust their priorities and refocus on the fly. At Fortinet, for instance, projections of how the threat landscape will evolve often affects our research plans, and they are updated accordingly. Likewise, institutional awareness of threat trends and risks can influence decisions on how and where to expand IT resources. It’s better to know these things before investments in time and resources are made than later.
  3. See the big picture – This advice is two-fold. First, your security team members must be encouraged to pursue their interests, even if you don’t always see a direct link to your company’s products or services. Research on IoT vulnerabilities, for instance, can deepen an enterprise’s understanding of the threat landscape.
    At the same time, resist the tendency to create security siloes. Team members need a forum to share their research and information with each other as well as with other affected groups in the organization. And this information needs to be converted into actionable intelligence that can be tied directly to your organization’s digital strategy.
  4. Hone your instincts − Research leaders must train their teams to develop the acumen needed to identify and label a threat as critical before that fact becomes obvious to all. Professional threat researchers, for instance, have been warning for years that IoT vulnerabilities are the next big menace – long before the Mirai IoT botnet appeared last September and made it plain to the world. Now imagine having, and trusting, that sort of insight on your own team. Threats emerge and evolve swiftly. If a security team is slow to research on them and react, critical resources will be slow to get protected.
  5. Amass data – The more data your security team has access to, the greater its potential to identify and mitigate threats. Enlightened security teams also share – not hoard – information. At Fortinet, for example, beyond tapping the 3 million sensors we have deployed around the globe, we actively exchange threat intelligence with organizations like INTERPOL, NATO and other security technology providers through the Cyber Threat Alliance.
    So, in addition to subscribing to threat intelligence feeds, establish a policy for sharing threat intelligence, especially with your industry peers. One effective way to do this is to join a related ISAC (Information Sharing and Analysis Centers). Intelligence sharing helps all parties build a bigger threat database to monitor, block, and trace malware back to their sources.
  6. Invest in research technology – Effective research requires advanced tools to interpret and correlate the reams of data pouring into the expanding network every second. In many organizations, human beings are still performing the relatively complex tasks of connecting the dots, sharing and correlating data and then applying that data to systems. Organizations can implement tools like Content Pattern Recognition Languages (CPRLs) to help identify thousands of current and future virus variants, and today’s SIEM tools can correlate data from a variety of devices from different manufacturers.

But the future belongs to technologies like big data analytics and artificial intelligence. A mature AI system will be able to constantly adapt to the growing attack surface, automate complex tasks such as correlating and analyzing raw threat intelligence, and then make autonomous decisions at digital speeds.

No matter how advanced AI becomes, however, full automation – or the passing of 100% of the control to machines to make all the decisions all the time – is not currently attainable. Human intervention will still be needed for some time. For example, while big data and analytics platforms allow malware progression to be predicted, malware mutation is still beyond the scope of current technology. Only a skilled and intuitive human mind could currently foresee that a ransomware attacks like Wannacry would embed the National Security Agency’s vulnerability exploits to allow it to propagate on unpatched systems.

But the patterns are there to see. Malware evolution, for example, will intrinsically follow technological evolution, such as how people blend new technologies into their everyday life. If in the coming years, for instance, self-driving cars and wearable IoT find widespread adoption, cybercriminals will – as they have always done – find ways to ride the wave and exploit those cars and devices. Likewise, cryptocurrencies, if they continue to grow at their current rates, will attract herds of hackers.

The concept of automation is opening up many new possibilities for cybercriminals, and turning up the heat on organizations. As hackers step up the amount of automation in their malware, attacks will not only come at organizations faster, they will also reduce the time between breach and impact, while learning how to avoid detection. Increasingly, firms will need to respond in near real time − in a coordinated fashion across the distributed network ecosystem, from IoT to the cloud. This means not only implementing and integrating effective security tools, but building a security team of highly skilled professionals. Not many enterprises have the capability to do this today, and that’s something CIOs should start worrying about.

(From Fortinet blog). 


Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.