Albert Einstein once said, “Look deep into nature, and then you will understand everything better.” Obviously, he wasn’t thinking of cybersecurity at the time, but he could have been. Consider for a moment how each species has developed a method of defence based on a single criterion – the capability of its main predator. Some animals bet on speed, while others bet on protective shells, or camouflage, or an ability to climb, etc. The variations are limitless, but the objective of each species is consistent: to defend itself against its primary predator.
So, how does this correspond to our cyber defence strategies? Not at all. In fact, the approach we use to defend ourselves against cybercriminals is quite the opposite. We all use the same tools to protect ourselves, regardless of our industry or location. The same email gateways, the same web gateways, the same firewalls, the same anti-virus, the same intrusion detection tools, etc. What’s more, the signature updates for these tools are provided by the same publishers without any consideration as to whether we’re a bank or an energy supplier, or whether we’re located in France, Latin America, or have offices around the globe. In short, our security strategy is grounded in an approach that assumes we all face the same predator. But we know this isn’t true.
An analysis of incidents reported by any Security Operations Centre (SOC) very quickly shows a different trend. While companies in all industries and geographies share the same background noise, for which conventional solutions provide reasonable coverage, most of the risk organisations face is related to two main factors:
- Organised cybercrime campaigns that are executed in your local language, using regional context and, thus, are more devastating (e.g., highly credible local phishing campaigns).
- Highly specialised adversaries who target your industry and relentlessly launch innovative campaigns against specific targets they have in their sights.
Clearly, we do not all face the same predator.
This isn’t to say that organisations should change their defensive technologies. In fact, for the most part, these tools are very powerful. The inadequacy comes mainly from relying exclusively on updates to signatures that determine what the tool should block or detect.
To adapt your defences to protect against your adversaries, you need to augment general threat data with specific threat intelligence. Several sources are available, including:
- National/governmental Computer Emergency Response Teams (CERTs) that develop and provide threat intelligence based both on a geography and industry so that organisations can understand and adapt to threats that are occurring locally in their specific sector.
- Information Sharing and Analysis Centres (ISACs) organised by industry and that disseminate to their members threat intelligence that concerns their sector.
- Commercially available threat feeds that provide updated threat data differentiated by adversaries, targets and geographic regions.
- Open Source Intelligence (OSINT) sources that, although less targeted, are numerous and provide free threat data that can provide valuable insights.
- Your own layers of defence and/or SIEM that provide a massive amount of historical log and event data, serving as a memory of everything that has happened within your environment.
The use of these threat data sources as an adjunct to updates from traditional publishers makes it possible to adapt your protection and detection to the predators that pose the greatest risk to your organisation.
But here’s where we must differ from the animal kingdom, where evolution is tracked over millions of years. In the cyberworld, predators, their targets and their tactics, techniques and procedures (TTPs) can change within a matter of hours, so defenders must evolve rapidly. For example, if an adversary shifts tactics or targeted exploits, you’ll want to know about that change as soon as possible so you can adapt your defences quickly.
To track threats and how they are changing, you need a central repository to aggregate all your threat data in one manageable location where it can be automatically translated into a uniform format for analysis and action. Because these threat feeds will inevitably contain some data that isn’t relevant to your organisation, you need the ability to score and prioritise threat data based on your definition of priority to automatically filter out noise. This allows you to focus on what matters to your organisation and send relevant threat intelligence directly to your sensor grid (firewalls, IPS/IDS, routers, endpoint, and web and email security) to create and apply updated policies and rules, and proactively protect the organisation. As threats change you can add more data and context over time and continuously tune this central repository. You can act against the latest threats quickly and effectively, and protect against future threats.
As Einstein observed, nature can help us understand everything better – and this includes how to better protect against cybercriminals. By putting threat intelligence at the heart of our defence systems, we can evolve the traditional SOC to an intelligence-driven SOC or a Security Intelligence Center (SIC). We can adapt our defences based on our predators – an approach that has worked in the animal kingdom for millions of years and will also serve us well.