WHITE PAPER: THREAT INTELLIGENCE RANKING SEPTEMBER 2015
2 HOW WELL DO YOU KNOW YOUR THREAT DATA? HOW THREAT INTELLIGENCE FEED MODELING CAN SAVE MONEY AND PREVENT BREACHES Who are the bad guys? What makes them tick? What are they thinking? What are they doing? This is the stuff of threat intelligence feeds a growing area of the $75 billion cyber security tech market. According to research from Enterprise Strategy Group (ESG), 41% of companies with more than 1,000 employees subscribe to six to ten threat intelligence feeds. 21% buy eleven to twenty feeds, and 7% buy more than twenty-one feeds. 41% of companies with more than 1,000 employees have six to ten threat intelligence feeds. 21% have eleven to twenty feeds, and 7% have more than twentyone feeds. MOST FEEDS ARE REDUNDANT Even though most enterprises have such a large number of intelligence feeds, and plans to subscribe to more, analysts think most feeds are redundant. According to the same study from ESG, 72% of enterprise security analysts consider at least half of their feed information redundant regardless of its source. Nearly three out of four security professionals think it s at least somewhat difficult to determine the efficacy of each feed. 72% of enterprise security analysts consider at least half of their feed information redundant regardless of its source. CONTROLLING YOUR BUDGET Private threat intelligence subscription feeds are typically over $100,000+ and can easily get to over $200,000+ per year so deciding which are most valuable is important as the costs can quickly add up - with six or more feeds. As you decide which feeds are most useful, ask these three questions: 1. Does the feed help you detect threats faster? 2. Does the feed find what you d otherwise miss? Does it make you better at detecting threats? 3. Does the feed integrate easily into your environment? Is it simple to utilize this feed, and is it compatible with existing systems and your information security analytics platform? Before paying for a feed, take advantage of trial periods to measure the feed s performance. Learn all you can about how they detect threats, and assemble a portfolio of feeds covering all bases including OSINT, honeypots, DNS mining, forum monitoring and more.
3 Also, until you re absolutely sure a feed offers value, don t commit to a long-term agreement. This strategy gives you flexibility to unsubscribe from redundant feeds, cuts your spending and eliminates data noise. HOW ANALYTICS REVEAL YOUR MOST USEFUL FEEDS Threat intelligence analysis from IKANOW uncovers which feeds deliver the most value. By labeling threat data with the feed delivering the data, it can answer important questions, including: Which feed recognizes threats first Which feed delivers the fewest false positives Which feed gives the best detail about attacks IKANOW brings multiple feeds together, including commercial, OSINT and ISAC feeds, alerting you to some threats before they happen, helping to prioritize attacks in progress, and discover previously unidentified incidents. In addition, IKANOW correlates feeds with enterprise data to compare and measure each feed s value. As a result, you can identify which feeds deliver value and which feeds are filled with redundancies and false positives. You can then unsubscribe from feeds that don t deliver results. These functions collectively serve to increase the efficiency and effectiveness of your security efforts. THREAT INTELLIGENCE MODELING WITH IKANOW Without information security analytics from platforms such as IKANOW, it s almost impossible to make sense of information coming from threat intelligence streams. Manually analyzing intelligence streams, enterprise logs and SIEM alerts, creates an unmanageable information tsunami and make it impossible to find and prioritize threats to your enterprise. Cutting unnecessary stream subscriptions is just one benefit of investing in IKANOW s platform. FIND OUT HOW IKANOW analytics protects data, slashes incident response times and makes the most of your security resources. In the enterprise, you probably receive information from multiple feed sources including commercial, OSINT, open source data, and ISAC streams. 1. COMMERCIAL Threat intelligence feeds from commercial companies contain proprietary research determined by how the company detects threats. Their strategies include luring attackers with honeypots, mining DNS data for new domains and conducting cloud-based malware sandboxing. Depending on your needs, a commercial threat intelligence company might assign dedicated analysts to your organization. These analysts visit gray markets, search for botnets, and monitor forums on your behalf. Some companies focus mainly on threat intelligence streams, like isight and its ThreatScape intelligence platform. Other companies like FireEye and Symantec offer threat intelligence streams as part of an integrated suite of security services. Symantec s three DeepSight feeds, for example, provide information about reputation, vulnerabilities and security risks. The first step in improving an organization s security, is improving awareness. However, in order to improve overall security awareness,
4 organizations need to first take a hard look at how they are gathering threat intelligence. The best way to do this is to measure and model, or forecast, their threat intelligence content and the value it provides. Robust information security analytics allows users to customize and automate this modeling process for targeted impactful results - making the most of threat intelligence and allowing information security analysts to focus on actions to enhance network security instead of just keeping up with the constant flow of data. IKANOW s Information Security Analytics (ISA) platform is specially suited to this task. It can analyze and correlate multiple, disparate data sources, including social media, RSS feeds, threat intelligence feeds, enterprise applications, logs and more. The platform can use all of these sources to identify Indicators of Compromise (IOCs), exploits and vulnerabilities. The steps to conduct this advanced threat intelligence modeling are outlined below. CONNECTING THREAT When it comes to connecting to private threat intelligence feeds, IKANOW integrates with many of the most popular threat feeds out-ofthe-box. If out-of-the-box integration isn t yet available, we can build a new plugin for our customers in a matter of days. IKANOW has created a streamlined three-step process to add the appropriate data sources and threat feeds. 2. OSINT Open source intelligence (OSINT) providers comb through a multitude of information sources, looking for intelligence about possible threats against your company. OSINT is less about detecting presently occurring network activity and more about performing open source research. It goes beyond the organization s domains to scour social networks, forums, media, blogs and even deep Web resources, looking out for potential threats brewing against your organization. OSINT feeds give you needed intelligence to prevent attacks before they happen. When a hacktivist mentions your company in a tweet or a forum, an OSINT feed like SenseCy alerts you to potential danger. With information security analytics, your company can combine OSINT feeds with commercial feeds for better results. For instance, you can crossreference SIEM-detected IPs with OSINT scans of public IP reputation databases. Figure 1 - Connecting Your Data Source
5 Figure 2 - Configuring Your Data Source Figure 3 - Saving & Publishing Your Data Source 3. OPEN SOURCE DATA Open source data is inherently what drives OSINT. There are many free sources of open source data available on the that can provide useful IOCs and threat indicators, it simply requires further investigation and correlation after an alert is generated. The key difference between open source data and OSINT is that open source data has not been previously evaluated for intelligence value such as attribution to an APT, while OSINT is open source data which has been evaluated or met strict rules of correlation. Unattributed malicious domains and IP addresses derived from a honeypot and published to the web are a great example of useful open source data. An enterprise should certainly be aware is there is network traffic to these malicious domains and IP addresses. After adding the necessary threat feeds, the IKANOW ISA platform will correlate that data with other data sources (i.e. log files) already added to the platform. VISUALIZING THREAT FEEDS Visualization enables Threat Intelligence Managers to track threat feed spending by the utility of feeds within their network. Our threat feed algorithms allow decision makers to focus threat intel spending on the sources that provide the most meaningful intelligence and the most usable and relevant information for security analysts. The figure below shows how IKANOW compares threat intelligence sources. APT Alerts display the number of alerts associated with
6 a known hacking group from the contextual information provided with IOCs. Exploit Kit Alerts display the number of alerts which are attributed to known Exploit Kits. Total IOCs displays the total number of IOCs detected from the threat feed. Scan detected Common Vulnerabilities and Exposures (CVE) is the total number of unique CVEs detected in your network scan. EVALUATING PATCHING COSTS (VULNERABILITY TABLE) Vulnerability patching and cost calculations are easily made from the platform s vulnerability table function. The vulnerability table allows analysts to view how many hosts are affected by vulnerabilities and assign levels of effort and cost information to these vulnerabilities. Analysts are able to adjust fields with in this table along with sorting and filtering fields of data to assist in deriving patch prioritization. This data is generated from common enterprise scanning solutions such as Nessus and Qualys. This information is critical to a CISO in making decisions to patch vulnerabilities across the enterprise. 4. ISAC Information sharing and analysis centers (ISAC) provide threat intelligence to specific industries. Again, when used in concert with commercial and OSINT feeds, information security analytics tools can identify which signals are your biggest priority. Before using an ISAC feed, clarify whether the center requires you to send your own data back to the ISAC. Let a CISO or other manager make the final decision about releasing company data. DASHBOARDS IKANOW designed the ISA platform to provide critical information in easy to understand and view dashboards. These dashboards allow a CISO or analyst to quickly view how their network is affected by IOCs, vulnerabilities, and exploits extracted from threat intelligence reports.
7 CONCLUSION Only by thoroughly understanding the usefulness of individual threat intelligence feeds can an organization take steps to maximize ROI from these valuable, but expensive tools. Further, information security analysis can ensure that threat intelligence modeling is applied consistently and efficiently to identify, prioritize and report on threats to your specific network environment. @ikanowdata facebook.com/ikanow ikanow.com info@ikanow.com You probably use information security analytics tools to try to make sense of these feeds, but it s not easy to bring disparate feeds together and eliminate duplicate data. Your IKANOW platform can do more than interpret threat signals. It can also identify which feeds offer the most value, helping you slash your security spending. Instead of paying for extra data, you spend money on feeds that deliver results. Your investment in analytics pays off by helping you eliminate useless feeds.