If Threat Intelligence Isn’t the Answer, You’ve Asked the Wrong Question

Written by

In June 2015, an article titled Threat Intelligence May Not Be the Answer put forward the argument that at its best, intelligence might provide occasional protection from attacks, but is also an expensive source of data that bears no relevance to securing a network and may mislead decision-makers.  The article suggested that limited security budgets are better invested in strengthening defenses, responding to attacks and preventing damage.

In the current cybersecurity climate, with attacks constantly growing – our latest Security Report found that in 2014, DDoS attacks had increased six-fold compared with the previous year, and unknown malware downloads had increased nearly 50 times – businesses are rightly concerned about how they can better protect themselves, and what security technologies they should be investing in. 

But I believe that now more than ever, threat intelligence is a critical component in mounting effective cybersecurity defenses, to mitigate the ever-growing numbers and variety of attacks.  As General David M. Shoup of the Marine Corps put it: "to lack intelligence is to be in the ring blindfolded." 

Three to four years ago, the threat intelligence market was fragmented. Information could be expensive and difficult to convert to protections without expert input. Yet since a number of major advances in the way that threat intelligence is gathered, shared and used to boost security have been made.  I believe threat intelligence is critical to maintaining security for any size of organization.

Secret intelligence

Even though it’s true that intelligence vendors are reticent to share information for free – after all, it is their intellectual property – the creation of security intelligence marketplaces means that feeds can be flexibly and scalably priced, according to the number of gateways and number of Intelligence sources required. 

So pricing is not monolithic or one-size-fits-all:  it can range from feeding single security gateways, to supplying estates of thousands of gateways across an enterprise.  So organizations can sign up to receive exactly what information they need according to their size and scale of deployment, on a pay-as-you-go basis.

These marketplaces are effectively like a subscription TV service.  Users choose the channels that are important to them:  some will take the basic package, others will add a selection of premium content such as movies or sports.  It’s the same with security intelligence feeds.  For many users, the basic service will fulfil their needs.

For others, especially those in specific verticals such as retail, finance, healthcare, the utility sector or other industries with more stringent regulatory demands, they can select choose the intelligence feeds that can help them meet their compliance requirements – and their budget requirements.

Assembling pieces of the puzzle

Gaining a complete view of a campaign is an issue that intelligence marketplaces directly address.  Even three years ago, certain types of security intelligence were niche, with organizations being unaware of the availability of the information unless they already happened to be a customer of the vendor. 

By aggregating feeds and making them available from a single, large marketplace – again, the analogy of a pay-TV service, or an app store, holds – organizations have a standardized, automated mechanism for exploring, accessing and gathering high-quality intelligence that suits their needs, to help them get a wider view of the attack puzzle. 

Turning intelligence into action

Security intelligence must be quickly actionable to be relevant, and to deliver effective protections.  Again, three to four years ago, the intelligence supplied by vendors would in some cases have to be manually loaded onto security solutions in order for it to be used properly.  This could have been a challenge for some companies – smaller organizations may not have had the resources or the know-how to do this; and larger companies may not have the necessary processes to manage it. 

However, some modern security appliances and solutions are able to take intelligence feeds and both manually and automatically update themselves into gateways using a variety of formats including STIX with the latest protections without the need for specialist input or management of rules, in much the same way the body’s immune system responds automatically to vaccination to build immunity to a virus.  This takes the manual processing away from making full use of the intelligence, and minimizes the burden on the already overstretched resources of IT teams.

In conclusion, no single vendor has a monopoly on security intelligence.  Threat intelligence marketplaces are addressing the issues of threat data not being widely known, or accessible to organizations; and of turning that intelligence into protections against new and emerging threats.  Having strong security defenses and good security intelligence is not an either/or decision for companies:  having both is essential for a strong security stance, because intelligence is the fuel that powers the security engine.  By opening up a wide range of intelligence feeds to the market, every company can benefit from their use.

What’s hot on Infosecurity Magazine?