Unfragmenting Security with Threat Intelligence

It has often been said that complexity is the enemy of security. It is a simple statement but, nonetheless, one that holds true time and time again. The more complex your infrastructure, the more likely it is to have seams with exposed vulnerabilities. This is exactly what hackers are looking for, places where people and processes are not perfect and something is left unprotected.

In my last article I talked about how defence-in-depth and layering defences so that if one does not work, another layer is there to stop the attack. This has not always been the saviour we thought it would be. This stems from the fact that each layer of defence has been a point product; a disparate technology that has its own intelligence and works within its own silo, creating fragmentation. And, since this creates complexity, it stands to reason that to combat the enemy and improve security we need to reduce it. But how can you begin to unfragmented something that is already out there in many pieces? To my mind, the best way is to find the glue to put things together. This glue comes in the form of threat intelligence, integrating layers of point products within a defence-in-depth strategy to reduce it.

[easy-tweet tweet=”Companies need to apply their threat intelligence to their environment in smarter ways” hashtags=”ThreatIntelligence,Data”]

But this isn’t just a problem with defence-in-depth. You also see it in your external threat intelligence feeds and across the different teams involved in maintaining your security posture. Let’s take a closer look at the fragmentation that exists in these areas and how threat intelligence can help. A study by the American university, Carnegie Mellon, analysed the blacklist ecosystem over an 18-month period and found that the contents of blacklists generally do not overlap. In fact, of the 123 lists (which each included anywhere from under 1,000 to over 50 million indicators) most indicators appeared only on a single list. It’s no wonder there’s a huge data overload problem! The study goes on to say, “our results suggest that available blacklists present an incomplete and fragmented picture of the malicious infrastructure on the Internet, and practitioners should be aware of that insight.” But don’t just take their word for it; the 2015 Data Breach Investigations Report commissioned by Verizon came to a similar conclusion noting that “there is a need for companies to be able to apply their threat intelligence to their environment in smarter ways.”

In an attempt to get the best coverage as they build their threat operations, most organisations are typically forced to use multiple data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors – each in a different format. Lacking the tools and insights to automatically sift through mountains of disparate global data and aggregate it for analysis and action, the data remains fragmented, often does not have context and just becomes more noise. The path to threat intelligence begins with aggregating that external data into a threat intelligence platform (TIP).

Nevertheless, a TIP needs to go further than simple aggregation. It must also operationalise and apply that intelligence as the glue to reduce fragmentation. With global data in one manageable location, it needs to be translated into a uniform format and augmented and enriched with internal and external threat and event data. The correlation of events and associated indicators from inside your environment with external data on indicators, adversaries and their methods, allows you to gain additional and critical context in order to understand what is relevant and high-priority to your organisation. Now you’re in a position to utilise that threat data, automatically exporting and distributing key intelligence across all the different layers of defence in depth to improve security posture and reduce the window of exposure and breach.

So how can you deal with the fragmentation across teams? Well, the key here is to find a way to use that threat intelligence for better decisions and action, and this can often be a challenge in siloed organisational structures. You might have a SOC (security operations centre), a network team, an incident response (IR) team and a malware team. More often than not, they don’t even work together, let alone share information or intelligence. Forced direct communication isn’t often effective, so how do you get those teams to work together in a way that makes sense? By offering a single repository for all threat intelligence that is contextual and prioritised, you can foster much-needed collaboration without them necessarily even knowing it. With the ability to add commentary and store data for longer periods of time, the repository can become a core component of their processes. As the different teams use and update this repository, there is instantaneous sharing of information across other teams, resulting in faster, more informed decisions.

Taking this a step further, by integrating that repository into other existing systems – including, but not limited to SIEM, log repositories, ticketing systems, incident response platforms, orchestration and automation tools – you will allow disparate teams to use the tools and interfaces they already know and trust and still benefit from and act on that intelligence. For example, the IR team uses forensics and case management tools. The malware team uses sandboxes, the SOC the SIEM and network team uses network monitoring tools and firewalls, and this is just the beginning. By getting consistent intelligence directly from the repository that they have been working in and updating collectively, everyone operates from a single source of truth, reducing fragmentation and complexity so they can accelerate detection and response.

I am in no doubt that complexity is the enemy of security, but this doesn’t have to mean that you are entirely helpless. The enriching of threat data from all your external and internal sources with context, relevance and prioritisation, allows threat intelligence to become the vital glue that reduces the overall fragmentation across your security environment. By reducing this complexity you can ensure that your teams can work together with their existing tools to keep your organisation safer.

+ posts


Related articles

Don’t lose sight of SAP on Cloud operational excellence

Digital transformation projects can often become complex with twists and turns, which can lead organisations to focus solely on the migration itself.

Need to reduce software TCO? Focus on people

Investing in software is undoubtedly important for enterprises to stay ahead. However, the process is rarely a simple task for CIOs and IT leaders.

The future of cloud and edge optimisation

As more enterprises use multi-cloud and hybrid infrastructures, the danger of cost overruns and loss of control increases.

Here is how to stage a public cloud migration

As the relationships between CSPs and cloud providers are deepening, CSPs need to develop a clear strategy on how they add value to customer relationships.

The future of work is collaborative

As hybrid work models continue to gain traction, businesses will need to start implementing collaborative tools and processes to meet the needs and expectations of the upcoming workforce, seamlessly integrating them into existing workflows to enhance productivity and performance. Innovations in technology, including AI and machine learning, mean that organisations are in a better position than ever to shape the collaborative future of work – and with the right support in place, they can ensure that these digital tools continue to bring out the best in their workforce for years to come.


Please enter your comment!
Please enter your name here

Subscribe to our Newsletter