Threat intelligence. A buyer s guide

Similar documents
CBEST/STAR Threat Intelligence

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

The Importance of Cyber Threat Intelligence to a Strong Security Posture

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

WHITE PAPER: THREAT INTELLIGENCE RANKING

Threat Intelligence Buyer s Guide

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Cyber Risk Reduction: Why Automated Threat Verification is key

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

The SIEM Evaluator s Guide

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

SOLUTION BRIEF. Next Generation APT Defense for Healthcare

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

Threat Intelligence & Analytics Cyber Threat Intelligence and how to best understand the adversary s operations

The Cyber Threat Profiler

THE EVOLUTION OF SIEM

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

What is Cyber Threat Intelligence and why do I need it?

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Advanced Threat Protection with Dell SecureWorks Security Services

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

ESG Brief. Overview by The Enterprise Strategy Group, Inc. All Rights Reserved.

Continuous Network Monitoring

Zak Khan Director, Advanced Cyber Defence

Combating a new generation of cybercriminal with in-depth security monitoring

Best Practices for Building a Security Operations Center

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Attack Intelligence: Why It Matters

A Primer on Cyber Threat Intelligence

How To Create An Insight Analysis For Cyber Security

SANS Top 20 Critical Controls for Effective Cyber Defense

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Requirements When Considering a Next- Generation Firewall

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

Concierge SIEM Reporting Overview

Detecting Anomalous Behavior with the Business Data Lake. Reference Architecture and Enterprise Approaches.

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Gaining the upper hand in today s cyber security battle

Cyber Information-Sharing Models: An Overview

Cybersecurity Awareness for Executives

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

QRadar SIEM and FireEye MPS Integration

CHAPTER 3 : INCIDENT RESPONSE THREAT INTELLIGENCE GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

A Unified View of Network Monitoring. One Cohesive Network Monitoring View and How You Can Achieve It with NMSaaS

Cyber intelligence exchange in business environment : a battle for trust and data

Detect, Contain and Control Cyberthreats

WHITE PAPER OCTOBER Unified Monitoring. A Business Perspective

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

REVOLUTIONIZING ADVANCED THREAT PROTECTION

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

Cyber Security Evolved

Whitepaper. Advanced Threat Hunting with Carbon Black

BIG SHIFT TO CLOUD-BASED SECURITY

CyberReady Solutions. Integrated Threat Intelligence and Cyber Operations MONTH DD, YYYY SEPTEMBER 8, 2014

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

CSM-ACE 2014 Cyber Threat Intelligence Driven Environments

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Big Data Integration: A Buyer's Guide

Addressing Big Data Security Challenges: The Right Tools for Smart Protection

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

FIVE PRACTICAL STEPS

CyberArk Privileged Threat Analytics. Solution Brief

Open Source Software for Cyber Operations:

How To Protect Your Network From Attack From A Network Security Threat

Transcription:

Threat intelligence A buyer s guide 1

Table of Contents Executive summary... 03 1. Introduction... 04 The rise of digital business... 05 What is cyber threat intelligence?... 07 Common types of cyber threat intelligence... 09 What is new?... 11 2. CATER... 12 Coverage... 14 Accuracy... 15 Timeliness... 16 Ease of integration... 17 Relevance... 18 3. Summary... 19 Get a proof of concept and tell the world... 20 End notes... 21 2 All Rights Reserved

Executive summary Over the course of the last several years, cyber attacks have become more and more targeted in nature. Traditional attacks were largely indiscriminate, whereas today s attacks focus on specific individuals or organizations. These targets are often acquired after a great deal of planning and reconnaissance has taken place over days, weeks, months, and even years. The threats posed by these new types of attacks has been compounded by the lower barrier to entry that the global adoption of social media, cloud, and mobile technologies have introduced. Now, more than ever, organizations are seeking to understand which threat actors pose a viable threat to their assets and business operations. In order to gain insight into this uncertain environment, several steps must be undertaken all of which can be influenced by cyber threat intelligence (CTI). The past three years have seen an explosion in new information security firms offering CTI. Many of these firms were traditional security vendors who have established intelligence products alongside their traditional product offerings. As a result, there are many options from which to choose in the market, which often leads to confusion. The question then becomes, which providers should potential buyers turn to in order to gain a better understanding of their threats? This paper provides an overview of the CTI market. It does so by looking at the rise of digital business in today s world and at the impact that threat intelligence has had on the market. Additionally, the paper outlines the fundamental characteristics of a CTI provider: Coverage Accuracy Timeliness Ease of Integration Relevance With our CATER checklist you can better understand these fundamental characteristics and make more informed decisions with respect to which providers are best suited for your organization. 3

1. Introduction

The rise of digital business We live in a complex world, which has transformed the way we do business and the way we live our day-to-day lives. The interaction of over three billion individuals 1 across multiple platforms has formed a new world: the world of digital business. 2 Social media, mobile computing, and cloud services have increased the ease and speed of communication, whilst simultaneously reducing the cost. As a result of the complexities introduced to our world and due to the advent of digital business, new threats are introduced to our enterprises. In this complex, volatile and uncertain world, we are exposed to a range of people and organizations that present a threat be they agenda driven (hacktivist), organized criminals, or nation states. These are some of the groups that are successfully penetrating our traditional boundary defenses on a daily basis. As a result of the evolution of these threats, enterprises are evolving their defenses to respond to this changing landscape. These enterprises are placing an increasing emphasis on security controls that exist beyond the traditional perimeter. Many are focusing their efforts on building a threat intelligence capability. In doing so these organizations introduce a means to reduce the uncertainty they encounter within the threat landscape while also protecting themselves from data loss and targeted attack. This is easier said than done. The market has been seeking a stable definition of what effective cyber threat intelligence (CTI) means. Specifically, there is a confusion between data, information and intelligence. This will be explored further in the following sections. 5

Cyber threat intelligence is characterized by many vendors in the market as a means of analyzing huge volumes of data, in multiple formats, or indeed languages, across public and closed data sources. The objective of this analysis is to provide information in context that can mitigate a harmful event. If this information in context allows an enterprise to take some sort of direct action, it is possible to argue this is intelligence. This is by no means a trivial task. Many organizations simply lack the resources, skills, time and money to establish a meaningful in-house intelligence capability. 3 Consequently, they are turning towards external help to plug this capability gap. As more and more vendors produce and go to market with cyber threat intelligence solutions and services, enterprise organizations are forced to face a confusing picture to attempt to select a good quality of support that presents a long term, value for money approach. As with many areas in security, there is no silver bullet for CTI. As a result a judicious assessment of the market should take place to choose an appropriate CTI solution. We believe that through the use of the CATER model, arriving at a decision regarding CTI solution will be much easier. The remainder of this paper will explore the definition of threat intelligence, the different types of threat intelligence categories present in today s world, and characteristics of a CTI provider. 6

What is cyber threat intelligence? Business leaders are becoming increasingly aware of the value of CTI. Cyber threat intelligence enables organizations to make more informed and better decisions about policy-making, defensive controls and resource allocation. However, the increased interest in CTI across industry and the media is creating a significant amount of hype in the market. A major reason for this is that there is no consensual definition for CTI. Without an intelligible and consistent definition, CTI is at risk of fast becoming a buzzword. At a high level, intelligence can be defined as simply information about the enemy. 4 This is a good starting point but, when definitions become more granular, problems with inconsistency and jargon soon arise. The most common of all is the failure to coherently differentiate between data, information, knowledge and intelligence. The difference between these terms is key to understanding the CTI market. Data refers only to observables and facts that becomes information when context is added. This becomes knowledge when meaning is given to the information. Within this context, intelligence is simply relevant and meaningful information. Figure 1. Relationship between data, information, knowledge and intelligence 7

There is no single agreed universal definition of cyber threat intelligence. It means a lot of different things to a lot of different people. One useful definition of threat intelligence came from a recent workshop held with a number of CTI vendors, and was included in a paper released by the Bank of England: Information about threats and threat actors that provides relevant and sufficient understanding for mitigating the impact of a [...] harmful event. 5 This definition of cyber threat intelligence is useful in that it is broad enough to be applied to numerous different service offerings, and to help differentiate data feeds from those that have value in the process of defending an organization or pre-empting an attack. However, with this breadth in definition, we also must look at what differentiates various offerings. 8

Common types of cyber threat intelligence Figure 2. Cyber threat intelligence market Security monitoring intelligence One of the most important types of threat intelligence is produced from within an organization itself. In many instances this type of intelligence is referred to as security monitoring intelligence due to the fact that it is derived largely from assets (network, gateway, end points, SIEM etc.), which already exist within the organizations enterprise environment. Examples may include information obtained from existing SIEM capabilities, Intrusion Prevention Systems, or internal netflow. Internal DNS can give vital clues about who or what is communicating out of the network. Staff themselves can flag unexpected behaviours to a central reporting point. Convergence of this array of sources provides a cohesive view of the organizations risk posture. 9

Sharing communities Sharing communities provide a great deal of value to individuals and organizations tasked with managing threat intelligence activities. These communities take on many forms and are represented in a variety of ways from vetted and private mailing lists, to sponsored threat exchange environments to more structured organizations such as national Computer Emergency Response Teams (CERTS), sector / vertical CERTS, and Information Sharing and Analysis Centers (ISAC)s. Participating in these communities is critical to substantiating an organizations threat intelligence programs. External sources The final type of threat intelligence is external sources, of which there are two types: Machine-oriented cyber threat intelligence Human oriented and analyst driven cyber threat intelligence Machine-oriented cyber threat intelligence This type of CTI focuses on providing organizations with machine derived technical feeds. These are typically very structured, composed of data objects provided at scale and volume. The value of such feeds varies dramatically as does the content delivered via the feeds themselves Often these will be simple updated lists of IP addresses, Domain names, MD5 hashes. More sophisticated versions implement lists of indicators of compromise (IOC). Good feeds can be timely and provide a firm basis for driving the configuration of key detection and protection actions in a network. Sometimes these feeds can lack accuracy or may offer an incomplete view. Human oriented and analyst friven These sources are human oriented and analyst-driven. They are most relevant to organizations that do not have dedicated in-house CTI teams. Such humanoriented sources eliminate more false positives and provide a more customized service focussed on known facts and behaviours about threat groups and actors. Unlike machine-oriented CTI, these improve accuracy at the expense of timeliness and coverage. 10

What is new? For decades enterprise organizations have sought out new ways to inform themselves of threats and the risks they are exposed to. Much of these activities have been internally focused. This includes the generation of security intelligence via activities including end point and network analysis, vulnerability analysis, penetration testing, and incident response. Some organizations have started to explore their online exposure through the use of search engine technology, by mining for information (so-called google-hacking ). In this case, what s new about CTI? There is an unprecedented scale and diversity of sources of cyber threat intelligence available to organizations today. Advances in technology such as those provided by Cloud technologies provide inexpensive computing resources that enable threat intelligence providers to collect and produce more intelligence at a lower cost. Other advances such as those related to data science allow for better automation of processes that can infer meaning and improve relevance. Finally, advances in intelligence sharing continue which influence the rise of integrated, automated, and centralized security controls. 11

2. CATER

Characteristics of an external CTI provider If organizations choose to embrace the advances in CTI and turn to external sources, it is essential that they select the vendor(s) that best address the organization s needs. Large organizations, for example, may have the resources to take on machine-generated feeds whereas some smaller organizations may not. Buyers of CTI are often overwhelmed by providers who either provide data feeds or have simply re-badged existing data feed services as cyber threat intelligence. In such a crowded industry, how can buyers ensure a vendor provides the intelligence an organization craves and not raw data or irrelevant information? In order to pick through the noisy CTI industry, buyers of CTI should use CATER as a guide to assessing vendors across six categories: Coverage: how wide and how varied are the sources? Accuracy: how does the provider ensure my intelligence is free from cognitive biases and false alarms? Timeliness: how quickly will my organization receive an alert following an event and how far back does the context go? Ease of integration: how well does the service integrate my organization s existing services, and how does this ensure that action is taken? Relevance: how tailored is the service to my organization and its supply chain? 13

Coverage Coverage is one of the most important characteristics of a threat intelligence provider. A provider that is able to ingest millions rather than thousands of unique domains will, understandably, be expected to generate more results. A provider that covers many sources will reduce the chance of threats going unnoticed. But coverage is about far more than volume: variety is just as important. The provider should have the capabilities to collect and ingest a wide range of source types such as web and Internet services, a mixture of public and private forums and a range of media types such as IRC chats, email and video. This variety is necessary in order to develop a better understanding of the threat environment. 6 Neither quantity nor variety are possible without a broad language capability for unstructured information. Cyber threats are a global phenomenon and a provider whose technology and analysts fail to process and analyse threats in languages such as Russian, Portuguese, Arabic and Mandarin Chinese will miss a significant quantity of relevant information. Many providers claim to offer superior coverage but there is no one single provider who can claim to have the best coverage. 7 To get the best coverage it will be necessary to go with many providers who can combine to offer you the widest and most varied offering. 14

Accuracy Wide, varied and multilingual coverage is key but it is not enough. Coverage must be balanced against the accuracy of the alerts. There is a deluge of automated data feeds from providers that focus on how a computer system has been compromised and the forensic remnants of the attack. Unfortunately these machine-generated data feeds are often overly technical, fail to give context and may be riddled with false positives. This leaves a burden on the consumer to sift the information for relevant content. Some providers will also reuse existing data feeds that are acquired from other parties. This results in a highly time-consuming, costly and overwhelming process for the organization. For data to become intelligence it must be transformed into information and then effort must be made to strip out the false positives and then to prioritize and contextualize the information. A balance ought to be found between the machine-oriented, high volume CTI and the human-oriented, more curated and tailored CTI. Accuracy is often impeded by cognitive biases and heuristics. Therefore, it is important to ensure that a provider employs a range of techniques to ensure the consistency and accuracy of the information. This should include systems in place to remove conformation bias and mitigate against other cognitive errors where results are curated by an analyst. 8 Good intelligence tradecraft have existed for many years. Some providers take a purely technical view of the gathered intelligence without recognizing the importance of accurate and clear intelligence. 81% *Ponemon Of respondents felt that the high false positive rate was one of the biggest problems of CTI Institute, 2015 15

Timeliness The blend of coverage and accuracy must also be balanced against the timeliness of information. A managed service might succeed in removing false positives but if the alerts are not timely they will become redundant. For example, several providers produce thorough and expertly-written reports which, despite being comprehensive pieces of analytical work, are received too late in the day to be considered actionable. In this hyper-connected world, information spreads quickly. For example, 56% of those asked in a recent survey said that intelligence becomes stale within minutes or seconds. 9 Providers must be able to demonstrate that they understand that dynamic, high volume data sources such as Twitter which are ingested at very high rates, produce intelligence that is relevant the moment it is collected. Buyers should expect a provider to be able to alert the client within at least 30 minutes of an event. It is also useful to understand how far back in time a provider can go. The ability to spot malicious tweets from previous years, for example, can prove invaluable. Just as understanding the historical behaviour of an IP address can provide valuable clues. 84% *Ponemon Of respondents felt the dissemination of intelligence in a timely fashion was one of the biggest problems of CTI Institute, 2015 16

Ease of integration Two to three years ago, threat intelligence providers were pitting their services against one another. In a 2012 blog article Rick Holland of Forrester Research quipped that it was a case of My threat intelligence can beat up your threat intelligence. 10 Now the situation is beginning to change amid a growing realization that no single provider can satisfy all of an organization s needs. No matter how advanced their offering may be, providers must demonstrate that they can integrate with other solutions. The market still has room to mature, however. According to the SANS Institute there is a shortage of standards and interoperability around feeds, context and detection may become more problematic as more organizations add more sources of CTI into their detection and response programs. 11 Similarly, a recent study by the Ponemon Institute reported that 59% of respondents found that the problem with CTI is that it does not integrate with various security technologies. 12 Providers will all have their own particular focus. Some will focus on technical data feeds, some on context and others on detection. As such, it is essential that a provider s solution has an API that can easily integrate with existing solutions and wider sharing communities such as FS ISAC, CISP and utilize standards such as OpenIOC and STIX. 17

Relevance The final and perhaps the most important characteristic of a threat intelligence provider is the relevance of its information. The intelligence an organization receives often covers threats to geographies or specific sectors. This is good but it is not enough. The most valuable intelligence is that which is specific to an organization and its assets. This tailored intelligence offering will help organizations understand how they appear or are discussed online. With so many incidents to deal with, organizations are at risk of becoming overwhelmed by alerts. There should therefore be a mechanism in place for prioritizing alerts. 13 These alerts should be graded according to the severity of the threat and the urgency of remedial actions. Through taking this tailored approach, the organization will have the opportunity to give feedback to the intelligence provider and improve the process. Such feedback mechanisms should not be perceived as an optional extra but as a fundamental feature of the service. The provider should be in place to help you understand your threats. Therefore, the service should be fully tailored to your organizational assets and requirements. 18

3. Summary

Get a proof of concept and tell the world The CTI landscape has been obscured by hype, unrealistic expectations and inconsistency around key definitions. Coverage, accuracy, timeliness, ease of integration and relevance are fundamental characteristics of an external source of CTI. Using our CATER checklist can help you whittle down the market and pick out the signal from the noise. In order to get the best service, it may be necessary to go to more than one provider in order to give you the comprehensive service your organization needs. Furthermore, a successful threat intelligence capability will have a mix of internal, sharing and external sources. Of course, it is only possible to see the true value of a CTI provider when the service begins. If you have any reservations, ask your provider for a proof of concept before signing up for a lengthy contract. You might have to pay for this, but it can be a great way of demonstrating value and making it easier to secure budget. Last but not least, once you re in the favourable position of having a vendor or multiple vendors that caters to your needs, make sure you share your findings. Communicating with your peers is key to cutting through the hype and making the most of cyber threat intelligence. Good luck. 20

End notes 1. Internet Live Stats, Internet users in the world, http://www.internetlivestats. com/internet-users/ (last accessed 26th May 2015) 2. Gartner, Putting Digital Business to Work in 2015, October 2013. 3. Ponemon Institute, Intelligence Driven Cyber Defense, February 2015. 4. D. MacLachlan, Room 39: A Study in Naval Intelligence, 1968. 5. Bank of England, CBEST Threat Intelligence Framework: Qualities of a threat intelligence provider, 2014. 6. Bank of England, CBEST Threat Intelligence Framework: Qualities of a threat intelligence provider, 2014. 7. Verizon, 2015 Data breach investigations report, 2015, 8. Digital Shadows, The dangers of groupthink, February 2015. 9. Ponemon Institute, The Importance of Cyber Threat Intelligence to a Strong Security Posture, March 2015. 10. Rick Holland, My threat intelligence can beat up your threat Intelligence, 22 May 2012. 11. SANS, Who s Using Cyberthreat Intelligence and How?, February 2015. 12. Ponemon Institute, Intelligence Driven Cyber Defense, February 2015. 13. Bank of England, CBEST Threat Intelligence Framework: Qualities of a threat intelligence provider, 2014. 21

About Digital Shadows Digital Shadows is the only company to provide cyber situational awareness that helps organizations protect against cyber attacks, loss of intellectual property, and loss of brand and reputational integrity. Its flagship solution, Digital Shadows SearchLight, is a scalable and easy-to-use data analysis platform that provides a holistic view of an your digital footprint and the profile of its attackers. It is complemented with security analyst expertise to ensure extensive coverage, tailored intelligence and frictionless deployment. digitalshadows.com London San Francisco Level 39, One Canada Square, London, E14 5AB 535 Mission St, Fl. 14, San Francisco, CA 94105 +44 (0) 203 393 7001 enquiries@digitalshadows.com +1 (888) 889 4143 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information