Blueliv had the pleasure of spending a couple of days with the wider Gartner community at Gartner’s annual security conference held in Washington DC. The event lasted three and a half days and covered a wide range of security topics. The purpose of this blog post is to cover only what was said and discussed with respect to threat intelligence. I think it is fair to say that there is a considerable amount of cynicism that has now attached itself to users’ minds whenever the words threat intelligence are uttered. This certainly came across very clearly when I spoke to a wide range of individuals from a diverse group of institutions and businesses. It would appear that all and sundry are tagging the words threat intelligence into their banners regardless of whether or not what is being delivered is actually threat intelligence. That said there is a lot of excellent work being done to deliver meaningful actionable threat intelligence to end-users. The other key challenge that many businesses face right now is knowing what they should do once they get their threat intelligence service.
A significant hurdle for many is that right now they may not have the processes and procedures in place to deal with threat intelligence once it is delivered. Threat intelligence will only deliver real business value if it is backed up by the existence of a threat intelligence team that can put it to good use. If you don’t have the budget to build up a threat intelligence team from the ground up, then the solution provider that is delivering the threat intelligence should deliver it in such a manner and structure so that the need for a full-time threat intelligence team is eliminated. This approach is something that we have built into the kernel of our Cyber Threat Intelligence Platform. The intelligence is delivered in such a clear and concise manner that the action ability is delivered right out of the box as soon as the service is switched on for end users. The Blueliv solution eliminates the need to deploy a full-time threat intelligence team yet at the same time actually increases the volume and complexity of intelligence that an organisation can process because of the automation built into its core. Moreover, the platform creates tangible business benefits by reducing the cyber risk an organisation is exposed to. This is one of the key reasons Blueliv was a Gartner cool vendor in 2015.
The need for actionable threat intelligence is a global concern. One of the most interesting facts to emerge from the conference was the fact that the Gartner analysts have fielded inquires on this subject matter from over 35 different countries over the last 12 month. The need for threat intelligence clearly cuts across all verticals and localities. According to the Gartner analysts, there is a real danger that many organisations feel that they can tick the threat intelligence checkbox once they have bought a feed. Once the feed is live an organisation can say, “yes we are a threat intelligence aware organization”. But is a feed really enough? The key for any kind of intelligence be it in the electronic world or the real world is how actionable it is. In fact, if I can get a solution that delivers actionable intelligence right out of the box then I can say I have achieved my critical goal of delivering real value to my business stakeholders and reduced the level of cyber threat that my organisation is exposed to. Once again this is something that the Blueliv Cyber Threat Intelligence delivers right out of the box. Actionable threat intelligence delivered in such a manner so that the only thing left for our clients to do, is to act upon it. Still, we are in the middle of 2016 and the feedback from Gartner is that many clients are struggling with the ability to act on threat intelligence. This may go some way in explaining why many institutions and business have become a little suspicious as to the benefits of threat intelligence. What is clear is that a feed on its own is not enough.
During the conference, there was a number of discussions around what should threat intelligence be capable of doing. In other words, what are the key characteristics of threat intelligence that are actionable? The first is that the solution must be able to acquire threat intelligence in an automated manner. That automation should not impact the integrity of the threat intelligence i.e. the act of automation should not have an adverse impact on the veracity and volume of threat intelligence that is collected. The ability to acquire should be diverse in that it should include open source, commercial and community driven components. Now if one is to map these requirements to the Blueliv Cyber Threat Intelligence Platform one will see that here at Blueliv we blend all three types of aggregation that Gartner mentions and in particular, we have a very vibrant threat intelligence community in place and our propriety threat intelligence is of the highest calibre.
The next key Gartner requirement is that the threat intelligence should have the ability to be aggregated. What is meant by this is that the intelligence should be integrated into tools such as SIEMs and other existing controls such as other existing security real estate which could include Firewalls, IPS and IDS systems. Once again the out of the box Blueliv solution has this functionality built-in. There is a wide range of SIEM connectors already developed that allow for integration with this particular tool. There is also the Blueliv API that will feed the threat intelligence that the platform gathers into the security tools that have been deployed within a business.
The final key requirement is that the threat intelligence provided should be able to predict, prevent, detect and allow a business to respond in a timely manner to a threat. The Blueliv Cyber Threat Intelligence Platform will automate the process of detection for an organisation. It will identify without the need for an analyst to get involved where exactly the threat is i.e. be it inside a corporate network or in the form of users who interact with company websites that are compromised. Not only will these users be identified but also the type of malware they are infected with along with the IP address the connection came from. Blueliv will thus give an organisation the ability to detect threats they do not know about, prevent these threats from causing further damages and losses to the organisation, and finally, enable the organisation to predict what other users interacting within their network might be compromised. This methodology is repeated across all of the 8 modules that make up the Blueliv Cyber Threat Intelligence Platform. Finally, if you have a tool that can automate all of this then the only logical conclusion one can reach is that the ability to respond to threats in a timely manner is a given because you have automated detection thereby reducing the window of opportunity open to threat actors during which they can cause harm to an organisation.
So the key requirements that need to be met in order for threat intelligence to be of value to an organisation are the ability to acquire threat intelligence, to aggregate it and finally to act upon it. If on top of this, you can build a layer of automation you will possess a threat intelligence platform that will deliver real business benefits to a business and at the same time reduce the unit cost of delivering that benefit. Last but not least, you will have a Cyber Threat Intelligence Platform that will help your organisation get on the front foot when it comes to using threat intelligence. Finally, do not forget about the one component mentioned earlier on the need for threat intelligence to be actionable. If you can bring this into the mix then you will have built your virtual threat intelligence team that proactively reduces your organisation’s exposure to cyber threats at a fraction of the usual cost.
If you want to get past the tick box approach to threat intelligence and you want to work towards fulfilling some of the key requirements that Gartner has identified as necessary for a good threat intelligence programme to have, then do get in touch with us. After all, we were the Gartner cool vendor in 2015 and we believe that the Blueliv Cyber Threat Intelligence Platform can deliver to your organisation the type of threat intelligence platform you need and deserve.
Nahim Fazal, Head International Business Development