Following from our previous blog post, we seek to clear up some of the confusion around what threat intelligence (TI) is and is not in today’s market landscape. Here are the second 5 of 10 points that today’s threat intelligence absolutely is not.
Threat intelligence is NOT just an investigation tool
Yes, TI is a devastating weapon for forensically piecing together cyberattacks after the fact so that lessons can be learned. But when threat data from a multitude of sources is identified and analyzed in real time, threat intelligence rightly occupies a pivotal role in cybersecurity – both accelerating threat detection capabilities and providing vital input into investigations. The evolution of TI has greatly increased responsiveness so that vast datasets can be interpreted to provide continuous, dynamic intelligence in close to real time. The investigative attributes of threat intelligence are also evolving to pinpoint new attack patterns belonging to known and unknown threat actors, thereby enhancing incident triage and post-incident forensics from any point in the kill-chain. Timing is critical for the provision of successful TI services, so the use of automated processes and the emerging application of machine learning/AI delivers greater and greater value.
Threat intelligence is NOT just about the threats targeting your network
There is a very wide scope of external TI sources out there, and threat intelligence increasingly taps into more than just the aggregated feeds of internal security appliances and IPs to identify indicators of compromise (IOCs) and analyze attack patterns. These range from publicly accessible OSINT (open-source threat intelligence) places like social networks, forums and web posts, to ‘underground’ sources such as closed sites within the dark web and deep internet, and data from command and control systems. threat intelligence is also about intelligence-sharing across the security community, including from national-level CERTs and CSIRTs, sector-specific ISACs, and via each TI vendors’ own technical alliances and partnerships. Expect to see this ramping up more as the threat intelligence market matures through the rest of 2019 and beyond. Blueliv encourages collaboration as much as possible among security professionals, law enforcement and academics – you can join our Threat Exchange Network free here.
Threat intelligence does NOT need you to employ an army of analysts
Security teams are already plagued by information overload and the challenge of employing further internal resources is incredibly difficult with budgets under pressure and cyber skills in short supply. TI shouldn’t just turn data into more data; it must produce targeted, relevant intelligence that helps CISOs and others make better informed security decisions. Advanced threat intelligence solutions use automation and machine learning to hammer home this advantage and prevent customers from running armies of analysts to cope with the data avalanche.
Threat intelligence is NOT a laborious integration
Clearly a comprehensive integration is essential for a TI solution to deliver value. Failure to get this right will create blind spots and inefficiencies that could compromise your cyber defenses. But none of this means that onboarding your chosen threat intelligence solution need be an arduous process. Rapid configuration, setup and deployment can be enabled through APIs that ensure threat feeds slot neatly into SIEMs, endpoint solutions, firewalls, intrusion prevention tools, etc. Machine-readable threat intelligence (MRTI) feeds are simple to set up and enable translation from human to machine-readable formats and rapid dispersion to cloud and onsite security infrastructure.
Threat intelligence does NOT need a patchwork of threat intelligence vendors
There is a great diversity in threat sources, and an increasing volume of TI providers specializing their offerings, but this doesn’t necessarily mean you have to contract dozens of threat intelligence vendors to get the coverage you need. Leveraging component elements of a modular TI platform allows enterprises to pursue a streamlined solution from a single vendor that directly meets requirements. For example, choosing to prioritize uncovering hacktivist activities, surfacing dark web intelligence and/or tracking stolen credit card details and other compromised credentials belonging to the organization. And while the list of possibilities is exhaustive, a pay-as-you-need subscription model ensures that costs are not.
Threat intelligence has become an exceptionally crowded marketplace and one that Blueliv has a unique perspective on, given our involvement over the last 10 years. Unlike the manually generated, report-centric services delivered on an all-or-nothing basis, Blueliv’s approach is refreshingly different; adopting a fully modular approach that allows customers to address individual use cases and achieve targeted ROI in a very easy to use way. And while Blueliv employs a large team of highly experienced security analysts to support unique customer needs and contextualize our TI solution, it’s our commitment to automated technology and processes that provides the necessary scale, speed and agility to deliver true value to threat prevention and incident investigation.
You can check out our last blog post to help demystify the sector by clicking here.