Traditional approaches to integrating cyber threat intelligence into an adaptive security model have relied very heavily on utilizing open source threat intelligence feeds and integrating these into a SIEM. The thinking behind this may have well been that the crowd-sourced threat intelligence is just as good if not better than a proprietary source offered by vendors. But is this really the case?
Well for the time being let us assume that this approach may be the correct one. The question that then crops up is what do you do once it is integrated into your SIEM. You are going to have expended a large amount of energy, money and resources undertaking detective work. What I mean by this is, once you have your feed in place you will need to begin to correlate it with a whole bunch of other stuff. This stuff that I am referring to could well include things like web server logs, IP logs and more likely than not you will have to use a human analyst to sift through the results that turn up to try and identify a meaningful alert. Now this will still be the case even if you are using a proprietary source. What you cannot escape is the fact that once a feed is in place there is extensive legwork for an analyst to perform in order to try and route out possible threats lurking inside your network. Now I would be the first to concede that this kind of approach does satisfy some basic requirements. Having a feed in place will allow you to ensure that you are at least protecting yourself against the well-known crime servers and attack vectors that are out there. But is this enough?
Before I expand any further on practical implementations of an adaptive security model it is worthwhile recapping on the 4 key requirements. The four key elements we will need in place are contextual awareness, integration with existing security real estate, automation out of the box and an automated threat response. The threat intelligence that you are using needs to embody these 4 elements in order to move towards adaptive security.
We have all heard of the old saying defense in depth and that any security model that is in place should factor in a layered approach to security. So the approach to integrating feeds into your SIEM is layer one but you will need additional layers of protection in order to achieve the goal of having an adaptive security model. In order to get to the point of having adaptive security in place, we will need to have targeted threat intelligence that is contextually aware. Why does this matter? More accurate security decisions lead to impacts that affect a business less adversely. So what are the key characteristics of contextually aware security?
Contextually aware threat intelligence should be able to address some key fundamentals such as where have I been compromised, how was I compromised and who has been compromised. Now the who could be an external customer as well as internal users. Why is any of this important? It is important because it helps an organization identify an issue quickly and with clarity. Targeted threat intelligence will reduce the window of opportunity of the threat actors but equally as important is the fact that it will reduce incident response times for a business. The end result? Potentially the ability to substantially reduce the harm you could be exposed to in direct and indirect costs.
The second key element is that the threat intelligence should integrate with your existing security real estate. Now traditionally this concept has limited itself to IPS, firewalls etc. Now I would like to expand it further and suggest that your threat intelligence should be able to integrate itself into middleware components and fraud engines if we truly want to achieve adaptive security. So for example if my threat intelligence solution can tell me which of my online customers are infected instead of simply blocking them, which is costly, could you implement enhanced authentication checks? This is where we are now using our threat intelligence to adapt our response and move away from the old approach of block and drop. An adaptive approach is probably going to result in a more positive customer experience and potentially lower costs for the business if they had simply disabled the user. This blog post is not looking to explore endless examples of how this works in practice. For a more comprehensive overview we invite you to tune into a webinar on this very topic that can be found on Brightalk Adaptive security .
The next 2 key components and I will group them together here, are an automated response capacity and automation to be built into your threat intelligence feed. Automation is key because no business has the time or resources to manually process all of the threat intelligence that is coming in. What you need is a threat intelligence tool that in an automated manner filters and displays threat intelligence that is relevant to your organization. Furthermore, it must pinpoint where and what the problem is therefore allowing you to act quickly and removing the need to identify threats that may be inside your network in a manual resource dependent manner. The key here is that with automation you are closing down the time it takes you to identify threats and to remediate them. All of this results in key business benefits not only reducing your costs associated with incident response but also driving costs associated with identifying the threat in the first instance.
Adaptive security matters because it brings key business benefits. It is not just about protecting your technological assets. It is also about how you can make the user experience for the end user be their internal or external, one that is a painless one. What I mean by that is that security is almost invisible to them and therefore they are not encumbered with distractions. They can focus on getting done quickly what they need, be it paying a bill or completing a key business document safe in the knowledge that an adaptive security model is protecting them at all time. Please do take a few minutes to look at our brand new community that has been launched recently this link will take you there directly.
Nahim Fazal, Head International Business Development