A Moving Target: Why SMEs need Threat Intelligence

Written by

Justifying security spend can be challenging as a SME: there are limited resources, you’re trying to defend against an unquantifiable range of threats, and there are plenty of other aspects of the business to invest in that can give tangible results.

Yet if you do nothing, then the business becomes a sitting duck: the repercussions from a major attack are incredibly hard, if not impossible, to recover from for a business with very little reserves.

It’s for these reasons that the SME sector is in dire need of threat intelligence. Information on emerging threat vectors, evidence such as noise over networks that a particular sector will become the focus of an assault, malware patterns - all are invaluable in helping to focus resource and network defences. Yet, the SME is often operating on the periphery with little else to go on, and the limited threat intelligence is garnered from its perimeter, meaning that it isn’t aware of an emerging attack until it’s too late.

There’s also the widely held assumption that small businesses are small targets and less likely to be impacted. Evidence points to the contrary: the latest Government Information Security Breaches Survey found 74% of small businesses had experienced a breach over the past year, an increase of 60% compared to the previous year, with the worst breach cost averaging between £75k - £311k across the sector. That’s a hefty price to pay yet convincing the board to finance threat intelligence is still a difficult task not least because there are limited avenues for the SME to procure.

A SME cannot justify the expense of deploying its own Security Operations Center (SOC), cannot provide the resource needed to monitor the sheer weight of events a next generation SOC generates, and is precluded from taking SOC services from one of the big systems integrators.

The same survey cited above found only 16% of those questioned were investing in an internal SOC (although it wasn’t specified if these were SMEs). The limited rollout demonstrates what a massive commitment a SOC is to build, maintain and utilize effectively.

Yet SMEs need access to threat intelligence and SOC services. For evidence of this, one need look no further than the statistics behind DoS attacks. Large organizations are winning the numbers war, with DoS attack rates falling over the past year. But the picture remains unchanged in the SME sector with 16% experiencing attacks year-on-year.

DoS attacks typically generate substantial chatter over social media channels and/or the darknet, and an assault can be tracked sometimes months ahead of the threat becoming real. By collating, analyzing and interrogating data by sector, region, company profile, operational model and technical complexity, it becomes possible to track and predict such attacks and, armed with such knowledge, the SME can bolster its security and improve resilience.

However, to get to a predictive level of threat intelligence that can monitor this extensively you need access not just to a SOC, but a next-generation SOC. This differs in that it collates metadata from various dynamic data sources in real-time and cross-correlates these using specific criteria before a team of security analysts interpret those events.

Unlike the traditional SOC, the focus is no longer primarily on incident response but on actionable intelligence; information that buys the enterprise time to allocate resource and respond before the threat becomes manifest. This is why SOC analysts are so important, as it’s the human interpretation of those data sets that translates the information into intelligence relevant to the business.

Thankfully, the threat intelligence sector is now diversifying and for the tenacious SME the time is now right to seize the advantage and outsource a SOC. In addition to the usual requirements such as SIEM, event logging and data analytics, it’s beneficial to look at the managed services on offer.

How wide ranging is the threat gathering operation in terms of the geography, data source, and the networks traversed? Will the solution generate the reports required to meet compliance needs? How is the data captured and correlated and analyzed and by whom? How will the provider work with your organization to ensure effective proactive incident response? Is there the opportunity for an entry-level service that will then scale with your business? After all, there’s no point in taking on a service only to then go through the upheaval of transferring to another supplier when the business grows.

Threat intelligence can provide both a competitive and defensive advantage. Going forward, the SME will find itself operating in an increasingly hyper-connected environment and is liable to experience more, sustained attacks. Having the ability to anticipate and even predict how those attacks will turn out is the difference between a SME that’s a sitting duck and a SME that’s a moving target.

What’s hot on Infosecurity Magazine?