Proactive Threat Management using Global Threat Intelligence

Transcription

1 Proactive Threat Management using Global Threat Intelligence WHITEPAPER Cyber breaches happening throughout the world has given the concept of global threat intelligence. Threat intelligence is the capability that helps an organisation to minimize its vulnerability to attacks by being proactive in stopping the hackers much before they gain access to its network. Summary The evolving complexity of cyber threat is forcing companies across the globe to re-think about security. It is no longer fighting a few attacks with standard tools and technologies. Cyber breaches throughout the world have given the concept of managing threats globally. This finally gave birth to what is known as global threat intelligence, a weapon without which organisations will be at the mercy of the hackers all the time even when fortified with threat management Solutions. This paper aims to give a perspective on the cyber threat intelligence and how an organisation can benefit from it. It also gives a checklist that an organisation may use while selecting a vendor providing threat management solution. The Next Generation IT-Security The high profile and sophisticated security breaches world over, have changed the cyber security concept. Companies now feel that mere defence is not sufficient, because a determined hacker, will manage to break through the barrier eventually. This is what we are experiencing everywhere, even the biggest brands are getting hacked. It is therefore high time that enterprises start knowing well in advance what is happening in and around them and throughout the world as well, in the field of breaches. We need to have the intelligence, insight and also the foresight to know what kind of attacks are happening and the impending attacks. This is what forms the core of next generation information security. Threat intelligence is the capability that helps an organisation to minimise its vulnerability to attacks by stopping the hackers much before they gain access to its network. It gives an enterprise the intuition on the plans and actions of the attackers. While the changed awareness towards security is no

2 WHITEPAPER 02 An intelligence based security system enables and organisation to identify threats proactively rather than reacting to the alerts of threats. An effective threat intelligence helps an enterprise to realise whether an attacker has already been on its network, and additionally where an attacker is likely to go and how. doubt a positive trend; putting in place the fundamentals of intelligence management calls for focused thoughts and efforts. The process has to start from the board joining hands with the Security team, geared up to have the New-Generation information security system. Threat Intelligence What and How Threat intelligence is the information on the attackers about what they are going to do, how they are going to do and their behavioral patterns. It is created when raw data are gathered and analysed to give a complete picture of activities happening within a business landscape. In a much broader perspective, such information-data are gathered and correlated from all over the world by scanning the internet. This needs maintaining a worldwide network of receptors placed around the globe. The correlated information gives awareness about the current threat scenario throughout the world and helps developing methods to counter them. This means, the threat intelligence which is gathered is integrated into a security solution to counter threats.this is what is known as global threat intelligence. An effective threat intelligence helps an enterprise to realise whether an attacker has already been in its network, and at the same time where an attacker is likely to go and how. In a nutshell : It has the potential to change the way an enterprise measures security risk It proactively prepares an enterprise s defence against any new attack Making Threat Intelligence Work An intelligence based security system enables an organisation to identify threats proactively rather than reacting to the alerts of threats. A proactive step helps an organisation to dissolve the chance of attacks much before they are launched. There are three fundamentals that will help prepare and guide any organisation to fight threat proactively. Developing A Threat-Awareness Mindset - This involves having a proper understanding of the prevailing threats with particular information about impending dangers to the specific business unit and the sector at large. Steps to prevent such threats proactively and the outcome of such actions if taken or not taken, should be introspected thoroughly. An organisation can develop threat awareness mindset simply by asking a few simple questions: What are the threats that endanger us? What are our risk factors if we are attacked? What should be our counter measure? What action should we take proactively? What should be the outcome of our action or inaction?

3 WHITEPAPER 03 Gathering of data from all over is the first step towards generating threat intelligence. Collecting global data is crucial and needs setting up of a global network for collecting intelligence from strategic nodes. This is an enormous task involving huge budget and effort. Conceptualising An Intelligence Model - Clarity on implementing an operating model to collect information data from various sources, analyse them and take suitable action is the next step to make threat intelligence work. Depending on the complexity of the organisation, the system will vary in intricacies but the basics remain the same and are applicable to any organisation seeking to develop threat intelligence capability. Developing An Intelligence-Based Decision Making Process - Often, Boards do not have a clear picture of threats that target the organisation often or even daily. This can have a disastrous impact on the business and brands ruining both, just within a short span of time. It is crucial that all important business decisions should be taken keeping in mind the cyber risk factors and the intelligence to counter them. The Executive Team needs to have sector specific and business specific threat awareness coupled with information on the global threat scenario. With the fundamentals clear and set in proper place within the enterprise, the next call for action comes in the form of: Setting the intelligence gathering priorities, deciding what intelligence the enterprise needs to improve upon and having a clear understanding of the threats in general. Developing the ability to gather intelligence relating to cyber security threats and vulnerabilities from a range of sources and translating these into a common language. Analysing the cyber intelligence gathered from different sources and correlating the discrete pieces of information to create actionable intelligence Acting upon the intelligence proactively, tactically and strategically to prevent attacks or respond to threats. Factors To Consider Before Implementing Threat Intelligence Gathering of data from all over is the first step towards generating threat intelligence. Collecting global data is crucial and needs setting up of a global network for collecting intelligence from strategic nodes. This is an enormous task involving huge budget and effort and not every one s cup of tea. Because of the global nature of threats, many a times, organsiations find it difficult to exploit useful threat information that often resides in their own premises.their complexities make it even more difficult to create a complete picture. Only through collaborative effort threat data can be gathered. But establishing an effective collaboration is not easy. Not all organisations are willing to share threat information for the fear that it might reflect negatively on their brands. Or, it might also be the unwillingness to share sensitive commercial data.

4 WHITEPAPER 04 In case if an organisation chooses outsourcing IT security service it should keep in mind that the vendor must have threat intelligence feature in its threat management service basket. But, often there is a huge difference between the actual Threat Intelligence and what the vendors are delivering under the banner of Threat Intelligence. The burning question remains, whether it will be at all advisable for an organisation to divert a major chunk of resources both in terms of money and expertise, from the core business. What will be the outcome of doing so, and even if an organisation is successful in gathering, organising and analysing all the data and making fabulous intelligence reports out of them, will it be worth in the long run considering the growing complexity of the global threat scenario. Alternately, will it be more convenient and peace giving, to outsource the service from reliable agencies that have all the infrastructure and expertise and have been running the show successfully for many years with proven results. Good threat management service providers do provide their clients the feature of threat intelligence. What Vendors Should Bring While Serving Threat Intelligence In case if an organisation chooses outsourcing IT security service it should keep in mind that the vendor must have threat intelligence feature in its threat management service basket. But, often there is a huge difference between the actual Threat Intelligence and what the vendors are delivering under the banner of Threat Intelligence. Here is a checklist that can be useful in selecting the right partner and giving an idea about the features to look for, in order to have a proper threat intelligence system. FEATURES TO CHECK FROM A SERVICE PROVIDER How many are the sources of data collection? ( Some have only a single source of just a white-labelled feed from another company) Frequency of threat intelligence updation? (Some send frequently, some take time in analysing and correlating) How are the threats evaluated? (Some are simply dumping the data without any evaluation or ranking, some give ranking only as critical, still others may use a system of ranking criteria based on the potentiality of attack) THE BEST OPTION Worldwide network receptors across the globe Device and data monitoring should be automated. The correlation rules should be updated at regular intervals in 24hrs Data should be collected from global sources, correlated and given an overall ranking

5 WHITEPAPER 05 The global threat intelligence of CNAM involves maintaining a network which scans the internet to collect information about attacks around the world. The threat intelligence is then integrated into a security solution to get a broader perspective on threats. Formatting of the data (Different sources have different ways of measuring and interpreting data. Getting differently formatted data from various sources can lead to a hell of a lot of confusion) Can the obtained data be correlated with the existing data which an enterprise already has? (Mostly the threat data received do not reflect the seriousness with respect to the company s business sector or its business specific data that need to be protected) The data should be formatted and presented which can be reported consistently and also plugged into the reports that an enterprise already uses The tailor-made correlation should be there so that, apart from general threat information, it provides insight into the risk assessment of any threat affecting the company s specific business Global Threat Intelligence Of CNAM The global threat intelligence of CNAM involves maintaining a network which scans the internet to collect information about attacks around the world. This information is collected via the receptors placed everywhere around the globe. The information is correlated to create awareness about the current threat scenario and developing methods to counter them. The threat intelligence is then integrated into a security solution to get a broader perspective on threats. Geographical Coverage IRELAND USA INDIA SINGAPORE VPS THREAT LISTENERS PARTNER SUPPORTED REGIONS CNAM UNET PROCESS

6 WHITEPAPER 06 A careful examination of the features provided by the service providers can really help an organisation select the right partner to provide a reasonably sound security infrastructure to safeguard the business and the brand. CNAM Components For Threat Detection And Global Threat Intelligence COMPONENT INTRUSION DETECTION DEVICE (IDD) DESCRIPTION The main component which houses some industry standard and proprietary technologies for detecting threats. An open source IDS is used along with a customised rule-set as a signature based detection system. It also contains a traffic anomaly engine for floods and a collaborate worm detection engine to detect outbreaks. Both of these are proprietary technologies and developed by NETMONASTERY. ROLE Threat detection Outbreak detection NETWORK AGGREGATOR (NAG) It is the local event collection and analysis engine which takes the correlation strategies from UNET (the third component of CNAM) The correlation strategies are applied on current event threads to develop local intelligence Collects event logs from all sources Locally processes and stores the event logs Develops local intelligence and trends Umbrella Network (UNET) It is a network of global presence points which are also called Point-of-Presence (POP) Each POP has a correlation management and intelligence processing facility. All POPS are directly controlled and customised as per customer's need by NETMONASTERY The NAG interacts with UNET to develop local intelligence. Can effectively trace attacks happening simultaneously all over the world and incorporate it into CNAM.

7 WHITEPAPER 07 Conclusion Under the present threat scenario, using global threat intelligence is the way to keep an organisation one step ahead of the attackers. But, due to its intricacies and cost involved, all organisations may not be in a position to have their own system of threat intelligence. Besides, this will be too much of a transgression from the core business affecting revenue and brand. Outsourcing may be a good alternate, and there are security service providers which are doing a good job in providing global threat intelligence along with real-time threat management suite. A careful examination of the features provided by such service providers can really help an organisation select the right partner to provide a reasonably sound security infrastructure to safeguard the business and the brand. About NETMONASTERY Founded in 2006, NETMONASTERY is a network security company helping enterprises in securing their network and applications by detecting threats in real time. Over the years the company has become a leader in threat detection because of its global intelligence network. For more information, please visit us at : The information provide in this article is taken by the website of NETMONASTERY NSPL. For any query please refer to website protocol.