{"id":4684,"date":"2016-05-17T10:41:59","date_gmt":"2016-05-17T15:41:59","guid":{"rendered":"https:\/\/www.poweradmin.com\/blog\/?p=4684"},"modified":"2016-05-04T14:46:40","modified_gmt":"2016-05-04T19:46:40","slug":"using-threat-intelligence-services-to-enhance-security","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/using-threat-intelligence-services-to-enhance-security\/","title":{"rendered":"Using Threat Intelligence Services to Enhance Security"},"content":{"rendered":"

Trying to recover from a cyber-assault or serious data breach can be a stressful and expensive affair.<\/span><\/p>\n

A far better approach is to make sure that your business is safe from such catastrophes before they occur \u2013 or at the very least, capable of staging a swift recovery in the event that disaster does strike.<\/span><\/p>\n

This is an area in which threat intelligence can play a key role.<\/span><\/p>\n

What is Threat Intelligence?<\/b><\/span><\/h2>\n

There are several interpretations as to what constitutes threat intelligence, or cyber threat intelligence as it\u2019s also known.<\/span><\/p>\n

The SANS Institute defines it as: \u201cThe set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators .\u201d<\/span><\/p>\n

Gartner, Inc. goes further, describing it in these terms: \u201cThreat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject\u2019s response to that menace or hazard. \u201c<\/span><\/p>\n

Depending on the service provider or corporation you ask, you\u2019ll see threat intelligence interpreted from other viewpoints. Some see it as a reactive phenomenon, allowing businesses to become aware of cyber-assaults as they occur. Others view it as simply the catalogue of techniques and technologies used by cyber-criminals to mount their attacks.<\/span><\/p>\n

Information vs. Intelligence<\/b><\/span><\/h2>\n

Analysts in the military and national intelligence fields have long been aware of the distinction between information and intelligence.<\/span><\/p>\n

Information consists of raw data from numerous sources, which is not evaluated as it comes in. Recorded \u201cfacts\u201d may be true, false, or nuanced, \u2013 and quite possibly irrelevant. In any event, this unfiltered stream of knowledge cannot be reliably used as the basis for meaningful action.<\/span><\/p>\n

By contrast, intelligence is gathered from known and proven sources, and evaluated and interpreted by trained analysts, as it arrives. This data is processed and sorted, and assessed for its degree of relevance to the mission at hand. Most importantly, it can be used to inform and support actions on the ground.<\/span><\/p>\n

Evolutions of Scale<\/b><\/span><\/h2>\n

This distinction between information and intelligence becomes especially relevant in these days of evolving cyber-threat technologies, and increasing scales of assault. In its DBIR report of 2015<\/a>, Verizon estimated that the year saw a loss of $400 million, from some 700 million compromised data records \u2013 an assault catalogue that emerged from 79,790 separate security incidents.<\/span><\/p>\n

Clearly, with threats of this scale, it\u2019s essential for businesses to remain informed about developments with the potential to cause real harm \u2013 and this needs to be in the form of actionable intelligence<\/a> that yields workable strategies for enterprise protection, attack prevention, and remedial action in the case of successful attacks.<\/span><\/p>\n

\"data-feed\"<\/a>Feeds and Services<\/b><\/span><\/h2>\n

Life has become a lot more complicated, since the days of the Bugtraq email listings and e-zines like Phrack. With the multiplication and evolution of threat vectors, a multitude of websites and newsfeeds have sprung up, each dedicated to some aspect of corporate threat intelligence.<\/span><\/p>\n

Data needs to be pulled in from open source reservoirs, rumblings from \u201cthe digital underground\u201d, and analysis of existing malware tool-kits. Other sources should include in-house network and transaction logs, information gleaned from collaboration platforms and industry-specific groups, and data gathered from technology and security partners.<\/span><\/p>\n

For the enterprise, the challenge is to make some sense of it all \u2013 to filter out the noise, and drill down to what\u2019s relevant, and actionable. This may be done in-house, but it\u2019s a time-consuming and intensive exercise, requiring specialist skills. What\u2019s more, the investment needed to bring together a threat intelligence team locally could be prohibitive.<\/span><\/p>\n

One alternative is to subscribe to a threat intelligence service, which is run by a third-party security vendor. Each provider will have a specific focus \u2013 largely dictated by the range of own-brand security products that it has to offer. To get a comprehensive security picture, it\u2019s a good idea to subscribe to several different services and \/ or feeds.<\/span><\/p>\n

Information Sharing and Analysis <\/b><\/span><\/h2>\n

There are also a number of information sharing and analysis centres (ISACs<\/a>): usually online forums where data on cyber-threats relating to a specific industry or market sector may be traded and shared, for incorporation into local threat analysis and enhanced security tools. As with the feeds and services, there are several pricing levels and areas of focus for ISACs, so some degree of market research and mixing may be required.<\/span><\/p>\n

Integrating with Security Controls <\/b><\/span><\/h2>\n

Having amassed a wealth of useful intelligence from various sources, the next step for the enterprise is to work this data into its existing security management protocols. Cyber threat intelligence feeds usually come in XML format, and may be integrated directly into a range of security applications, network monitoring tools, corporate firewalls, and DNS servers.<\/span><\/p>\n

Security Information & Event Management (SIEM)<\/b><\/span><\/h2>\n

A security information & event management system or SIEM<\/a> may be deployed to track events in your network and business environment, and to flag anomalies and suspicious activity. They\u2019re software platforms that allow integration with feeds, received threat intelligence, and event-based logging to allow enterprises to respond immediately to unauthorised access attempts and other forms of cyber-assault.<\/span><\/p>\n

Pre-emptive Actions<\/b><\/span><\/h2>\n

Responding quickly to assaults is fine, but the strength of threat intelligence lies in its ability to empower businesses to act before threats present themselves, or actual attacks occur.<\/span><\/p>\n

Again, the process of collecting and managing threat intelligence data from numerous sources is an intensive process that may be better left in the hands of a reputable third party. A good service provider should perform data cleansing and validation procedures on all incoming streams, and export data to the enterprise that can be plugged into its security and monitoring tools directly, and used for attack prevention or detection.<\/span><\/p>\n

Choosing a Service<\/b><\/span><\/h2>\n

There are numerous online resources to choose from. As a start, you can look at a portal such as The Cyber Threat website<\/a>. You might also consult the recommendation documents issued by national and regional government bodies, such as the European Union Agency for Network and Information Security.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Trying to recover from a cyber-assault or serious data breach can be a stressful and expensive affair. A far better approach is to make sure that your business is safe from such catastrophes before they occur \u2013 or at the very least, capable of staging a swift recovery in the event that disaster does strike. […]<\/p>\n","protected":false},"author":10,"featured_media":4686,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,6],"tags":[],"class_list":["post-4684","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pc-security","category-tech"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4684","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=4684"}],"version-history":[{"count":4,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4684\/revisions"}],"predecessor-version":[{"id":4693,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4684\/revisions\/4693"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/4686"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=4684"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=4684"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=4684"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}