In order to respond effectively to the rapid growth of emerging and increasingly sophisticated threats, it is important that organisations have an effective strategy around threat intelligence management. The framework proposed by McAfee (part of Intel Security) follows a layered approach.
Global level intelligence sits firmly at the top. This threat intelligence is often not real time and by definition cannot be relied upon when protecting against Zero Day threats. However, global intelligence is very valuable around identifying the vast majority of commodity signature based threats. Global intelligence feeds such as GTI (Global Threat Intelligence), a service provided by McAfee; or similar services shouldn’t be relied upon in isolation. This is due to the wide range of indicators of compromise that may or may not be locally relevant. This lack of local relevance may also lead to false positives.
Some organisations may choose to subscribe to more industry focused community and third party intelligence feeds. For instance, financial services organisations may choose to subscribe to the likes of FS-ISAC and in the case of federal and public sector, GovCert may be playing a part. Other organisations may choose open source providers such as Hail A Taxii or other similar alternatives. While industry vertical-focused or third party providers are valuable and may provide more targeted threat intelligence, the indicators of compromise may still not be as relevant to specific organisations.
According to Verizon’s 2016 Data Breach Investigations Report 70-80% of threat samples that an organisation receives, are unique to that institution. This number has progressively increased in the last few years. This increase, validates the view that sophisticated and more advanced threats are targeted and arhcitected around the specific vulnerability profile of individual organisations. This changing threat landscape, highlights the importance of relevant, real-time and local intelligence gathered from local context aware sensors.
Therefore local threat information, complemented by community and global information sources as part of an actionable intelligence funnel framework is a vital component of any layered defence strategy.
In the war against Cyber Criminals, Enterprise IT teams fundamentally have a significant challenge on their hands. The fundamental problem is essentially this:
Cyber Criminals are “out innovating” Enterprise IT.
Cyber Criminals can essentially move faster than most IT organisations as they are not bound by “change control” or ITIL. They also don’t need to conform to corporate ethics, policies or compliance requirements. Additionally they don’t need to contend with corporate politics, siloed operations and empire builders.
Their mission is very simple. Gain unauthorised access to information and other assets and maximise return on time invested doing so. The rapid weaponisation of the cyberspace coupled with significant commercial opportunities for cyber criminals has given rise to ever more sophisticated, tailored, difficult to detect and targeted attacks aimed at the industry. These attacks have the potential to cause significant damage; damage to both reputation and business viability.
In an effort to build the most sophisticated defence against such threats, every IT organisations has ambitious plans to build the most powerful defence. For those Star Wars fans out there, this can be likened to the Death Star!
However due to technology and budgetary limitations, the reality looks more like the below:
But due to the fragmented nature of the cyber security market and how organisations tend to think about “security problems”, most IT environments end up with this:
Often times, IT organisations end up with a “bag of bits”. These point solutions are often sold without any professional services attached to them and the business outcomes are often overlooked leading to vendor proliferation.
According to a study done by Penn Schoen Berland, a global market research and consulting firm, earlier in 2016, 62% of security practitioners believe that technology sprawl adversely impacts the overall security posture of organisations.
In order to build the “lego set” an integrated open and extensible architectural approach that penetrates deeper into the fabric of the organisation with the ability to learn and adapt and get stronger over time is essential.