Threat intelligence is rapidly becoming an ever-higher business priority with a general awareness of the need to ‘do’ threat intelligence, but vendors are falling over themselves to offer a confusingly diverse array of threat intelligence products.
According to MWR senior security researcher Dr David Chismon, there is a risk that in the hurry to keep up with the threat intelligence trend, organisations will end up paying large amounts of money for products that are interesting but of little value in terms of improving the security of their business. “Doing threat intelligence is important – but doing it right is critical,” he said.
In a report by MWR Infosecurity, supported by the Centre for the Protection of National Infrastructure (CPNI) and CERT-UK, the theme of threat intelligence is covered, including how to build a successful threat intelligence programme ,and crucially, how not to build one, as well as detailed advice on collecting, analysing, acting on and sharing the information obtained.
The report said that as market demand for threat intelligence grows, with a large number of organisations either interested in products or actively building programmes, some vendors are offering existing products – or subtly reworked versions of existing products – as ‘threat intelligence’.
The report claimed that while a single source tends to provide intelligence of only one specific type – for example, a data feed that is useful only as technical threat intelligence – many useful sources can provide multiple types of intelligence that can be analysed and turned into different products for effective consumption.
Chismon said: “By taking threat intelligence back to its intelligence roots and applying the same strict principles, it quickly becomes clear that effective threat intelligence focuses on the questions that an organisation wants answered, rather than simply attempting to collect, process, and act on vast quantities of data.
“Yet, it’s vital to be asking the right questions in the first place. Hence this paper looks in detail at the cycle of setting requirements, collecting and analysing data, turning the results into a consumable product and evaluating the usefulness of that product – which then feeds back into asking ‘better’, more useful questions for the future.”
The report claims that a good threat intelligence programme would be ‘requirements focused’, with the requirements phase of the threat intelligence flow defining the questions that need to be answered. Once requirements have been decided, the next step is to identify the sources from which information and data will be collected, along with the analysis necessary to produce actionable threat intelligence.
However there should not be too much effort placed upon ‘collection-focused threat intelligence’ that seeks to consume feeds in the hope of extracting meaning, and it rarely offers significant benefits to the organisation.
Statistics from 451 Research showed that of 55 vendors it examined, nearly all of them offered at least three of the most common data elements (hash values, IP addresses and domain names); only 36 per cent of respondents said that they were using threat intelligence and a further eight per cent stated that it was in their plans.
Asked if she felt that there would be a benefit from a united threat intelligence feed rather than separate private resources, Wendy Nather, research director of the enterprise security practice at 451 Research told IT Security Guru that there never will be a real unified threat intelligence feed, because a lot of the value in it for vendors is that nobody else has access to their sources, or they do something with that data that nobody else does.
Nather said: “There are a lot of threat intelligence vendors who all incorporate the same open source intelligence, so there’s a lot of overlap between some of them — enterprises can be paying two or three times for the same data without knowing it.
“They can also be led astray in thinking that if something shows up in three feeds, it’s got a higher confidence level, when in reality they’re all just regurgitating the same false positive.”