10 Vital Features You Need In A Threat Intelligence Platform
From visibility into dark web data and managing third-party and infrastructure risk to shifting intelligence onto the device itself, here’s where threat intelligence companies should be making investments.
Putting Data To Work
Threat intelligence is the analysis of data using tools and techniques to generate meaningful information that helps mitigate risk around existing or emerging threats, according to the EC-Council, which offers cybersecurity certification, education, training and services in cybersecurity skills.
Threat intelligence helps organizations make faster, more informed security decisions and change their behavior from reactive to proactive to combat attacks.
Threat intelligence helps organizations obtain valuable knowledge about new and emerging threats, build effective defense mechanisms and mitigate the risks that could cause financial and reputational damage, the EC-Council said. Having a better sense of potential attacks organizations are exposed to allows them to proactively tailor their defenses to reduce the likelihood of a future attack.
As part of Cybersecurity Week 2021, CRN spoke with 10 vendor executives about new and emerging capabilities that have made threat intelligence platforms more relevant for customers. From visibility into dark web data and managing third-party and infrastructure risk to streamlining technology integration and shifting intelligence onto the device itself, here’s where threat intelligence companies should place their bets.
Visibility Into Dark Web Data
Threat intelligence vendors have invested resources into examining whether employee usernames, passwords or credit card data are available for sale on the dark web, according to David Dufour, Webroot’s senior vice president of cybersecurity and engineering. Data on the dark web can never be removed, but Dufour said there are various steps businesses need to take if employee data is found.
Organizations should immediately change passwords associated with any accounts found on the dark web as well as change the username itself if possible, said. Depending on the size and amount of data found on the dark web, businesses might also need to contact authorities like the FBI and conduct a thorough audit of their systems to ensure compromised accounts weren’t used for nefarious purposes.
Threat intelligence vendors looking to compile dark web data will need to tread carefully since the legal ramifications of possessing stolen data without permission remain unclear, according to Dufour. Some cybersecurity vendors have opted to provide hooks into the roughly half-dozen companies collecting dark web data rather than collecting the data themselves to limit their legal liability, Dufour said.
Third-Party Risk And Vulnerability Management
Many businesses have doubled the number of key third-party vendors they’re using since the onset of the COVID-19 pandemic, upping the work required to monitor their security posture, according to Heath Anderson, LogicGate’s vice president of information security and IT. Companies should analyze the public domains and media mentions of their key third-party vendors, with a specific focus on breaches.
The website configuration, security posture and domain health of key third parties should also be monitored, with threat intelligence platforms putting all the information into a single dashboard for customers to view, Anderson said. Many vendors will give customers a third-party risk health score that’s constantly updated as additional context is pulled in, according to Anderson.
From a vulnerability management standpoint, threat intelligence vendors should identity the specific tools and services a customer is using and cross-reference that with CVE vulnerability data to see what’s susceptible, Anderson said. Having additional context about vulnerabilities up front makes conversations with IT much easier and ultimately helps with getting information remediated more quickly, he said.
Mapping Exploits And Automating Response
Threat intelligence was historically reserved for the largest enterprises but has been democratized as it gets embedded into other technology offerings, said BitSight Chief Technology Officer Stephen Boyer. Pulling both open-source and dark web data into a centralized dashboard and making sense of what information is valuable and what’s not in a timely fashion can be very challenging.
Once the threat intelligence feeds have been compiled, Boyer said businesses need help prioritizing patching and risk mitigation based on what’s currently being exploited in the wild. Automating actions in response to certain inputs from the threat intelligence feeds can make things easier for customers, according to Boyer.
Robust threat intelligence platforms also map exploits spotted in the wild to particular vulnerabilities, systems and assets the customer has in its own ecosystem, which Boyer said requires a great deal of sophistication. Enterprises historically had home-grown threat intelligence tools, but the costs associated with ongoing maintenance prompted large businesses to buy and license different third-party services.
Having Someone Who Knows Product And Domain Space
Threat intelligence feeds are most useful when they come with an additional layer of subject matter expertise that’s baked into the data the customer is getting, according to Greg Pollock, UpGuard’s vice president of product. Rather than forcing customers to come up with all the rules, threat intelligence vendors can add value by having someone upstream to ensure the customer’s feed is of high fidelity.
Having experts baked into the threat intelligence process reduces the time customers need to learn how to use the platform itself, Pollock said. Good threat intelligence data is tagged and classified on the customer’s behalf rather than forcing the business to learn all of the possible data classifications and groupings on its own, according to Pollock.
Threat intelligence vendors must monitor the fidelity of the tagging so that users can just subscribe to the data and feeds they want, Pollock said. Leveraging the vendor’s threat intelligence database to classify information reduces the amount of data customers have to pull in, which in turn lowers the stress on customer servers, according to Pollock.
More Integration And Automation For Smaller Customers
Threat intelligence platforms were traditionally only useful for larger enterprises since they required looking at aggregated data from multiple sources and figuring out how to operationalize that data, said Rob Cataldo, managing director of Kaspersky North America. But through training, SMBs have developed a skill set that puts them in a better position to make a useful investment around threat intelligence.
Through automation and more intuitive interfaces, Cataldo said threat intelligence platform providers have to make their technology more consumable and digestible for organizations with fewer internal cyberanalysis resources. Instead of having APIs that require customer programming to make connections occur, providers have pursued out-of-the-box integration that is easier for customers to operationalize.
Small businesses considering a threat intelligence platform should harden their own infrastructure first by investing in something like a digital footprint service that uses outside-facing attributes to assess a company’s cyber status, according to Cataldo. Threat intelligence platforms can over time automate, refine and enrich the detection process, the information they ingest and the skills they possess, he said.
Surface Intelligence That’s Relevant To The Customer
Threat intelligence vendors need to surface the most relevant information for customers based on their vertical and size, probing the dark web specifically for information on company employees, said Matt Radolec, head of Varonis’ Incident Response team. Give how much research and data are out there, he said customers are looking for a vendor that shines a light on data that’s relevant and actionable.
With this information, Radolec said organizations can apply a heightened level of screening and scrutiny for executives who are being targeted on the dark web. If an executive is a known target, Radolec said businesses can probe the information on hand to determine a possible motive for the adversary.
The most relevant and actionable threat intelligence feeds highlight specific threat actors who are using specific tactics, techniques and procedures or exploiting specific indicators of compromise in the vertical the customer is in, Radolec said. Threat data can get stale very quickly, so making it relevant to the customer reduces false positives and increases return on investment, Radolec said.
Standardized Process For Integrating Third-Party Data
Disparate technologies in the security stack don’t currently talk with one another easily due to a lack of API standardization, which makes connecting the dots difficult, said Jonathan Couch, ThreatQuotient’s senior vice president of strategy and corporate development. Businesses are looking to move from indicator-centric communication to a broader dialogue around the methodologies adversaries are using.
Couch said he’d like to see improvements in APIs as well as the detection capabilities to security tools to make the communication between products more robust. Threat intelligence platforms are most useful to customers when they provide insight and descriptions of the methodologies, tactics, techniques and procedures that adversaries are using, according to Couch.
Automating the communication between different security tools will make threat intelligence more accessible for resource-strapped organizations, enabling them to understand the entire scope of an attack, Couch said. Going forward, Couch would like to see threat intelligence platforms leveraged in security operations beyond SIEM and implemented in networks to provide monitoring and detection.
Mechanisms In Place To Operationalize
Too many organizations standing up threat intelligence platforms don’t have mechanisms in place to operationalize them, meaning that they end up with a list of known bad stuff but no way to make their company safer, according to Nick Biasini, head of outreach for Cisco Talos. Non-mature security organizations often need help from vendors when it comes to using threat data to improve security.
Businesses should pipe threat intelligence data into their SIEM or log aggregation products to strengthen their ability to detect malicious activity, Biasini said. Standing up a threat intelligence platform shouldn’t be a priority for organizations that aren’t getting logging from end systems, don’t know the assets in their network or can’t handle lots of data.
Companies should start by implementing segmentation, user control and access control before looking to enrich their security posture with threat intelligence, according to Biasini. Threat intelligence isn’t much of a benefit if organizations don’t have the tools in place needed to detect abnormal behavior, Biasini said.
Shift Intelligence From SOC Onto The Device
No security operations team can possibly track the over 6 billion devices connected to the internet, meaning that decisions can be made faster if intelligence is pushed beyond the SOC and onto firewalls and mobile devices, said Petko Stoyanov, Forcepoint’s global chief technology officer. By shifting intelligence onto the device, the time needed to detect and block threats is greatly reduced, he said.
Ingesting more intelligence and pushing data back onto the device also results in threats being blocked before they even arrive, according to Stoyanov. Sandboxing, real-time classification and validating content on websites manually enhances the efficacy of threat intelligence feeds while giving vendors greater control over their data, Stoyanov said.
Technology is typically designed to create more logs and alerts, forcing organizations to redouble their efforts to get away from the noise and make actionable intelligence decisions, Stoyanov said. Validating data and putting it into a known good structure such as Microsoft Word or PowerPoint makes it harder for ransomware to hide in customer data, according to Stoyanov.
Consolidate Findings To Increase Actionability
It’s critical for a threat intelligence platform to have many different feeds to maximize the richness of the data, but that typically means analysts are stuck going to different websites and scouring lots of feeds in search of an answer, said Maya Horowitz, Check Point Software Technologies’ vice president of research. The biggest challenge is understanding what data would be most beneficial to users, she said.
Analysts much prefer having data consolidated in one place with highlights of what they actually need to look at rather than having to open a bunch of different tabs on their browser and search, Horowitz said. Switching between tabs can cause analysts to lose focus, Horowitz said, while artificial intelligence can help analysts save time by indicating what’s most interesting for them to look at.
Businesses too often spend millions of dollars on threat intelligence reports that are interesting but unclear on what the organization is actually supposed to do with the findings, Horowitz said. Organizations should ensure that company money and analyst time is being used effectively on the threat intelligence side of the house, according to Horowitz.