Threat intelligence has transformed the information security world for the better but it’s not always leveraged in the best way possible by organisations and departments. The sheer amount of information, providers, platforms, and types of threat intelligence and data available, make it difficult to confidently ensure an organisation is making the most of their threat intelligence.
For this article, we spoke to Karl Sigler, threat intelligence manager at Trustwave, to get a sense of how organisations can maximize threat intelligence for their organisation.
Why Threat Intelligence is Important for Information Security Departments
“Threat intelligence has only started to mature over the past 5-7 years because just recently, we’ve been able to collect, handle, analyze, and store massive amounts of data.” - Karl Sigler
Threat intelligence is a relatively new area in the information security world brought by a shift in security philosophy and mindset among companies, and due to major changes in technological capabilities.
Sigler describes a previous world where companies held tight to their security research and information, seeing it as an advantage they had over their competitors. However, it was soon discovered that information-sharing vastly benefitted all companies, mitigated potential risk, and weakened attackers who preyed on a lack of knowledge.
These data and information partnerships have led to an exponential growth in available data and only somewhat recently has the technology been widely available to access and leverage this amount of data and information. Now, infosec should look towards leveraging threat intelligence as a key part of their department and function.
How threat intelligence benefits an organisation varies wildly and should vary by that organisation’s objectives and priorities. For example, threat intelligence can enhance a company’s auditing capabilities, it may help in defining, identifying and filtering incoming firewall data, or it may support your current Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS).
However, using threat intelligence effectively is where the challenge lies.
Making the most of threat intelligence
Using threat intelligence effectively is largely about using data effectively. This means your company needs to have the right organisational and departmental set up before being able to properly leverage any threat intelligence for its benefit. According to Sigler, there are three major areas of consideration - infrastructure, team skill-sets, and training.
Having the Right Infrastructure
Simply put, if an organisation doesn’t have the right infrastructure to handle the amount of data coming from a new threat intel feed, then the threat intelligence information is of no use to the company. Or worse, it may even slow an organisation down, making it less capable of preventing potential attacks or mitigating damage in the case of a compromise.
As Sigler puts it, “When dealing with threat intel data, you could be looking at PBs (petabytes) of data. To be able to handle, query, clean, analyze, and sort that data, your company needs a lot of processing and storage power.”
Your organisation’s data infrastructure should weigh into your decision-making when considering adopting a new threat intel source or figuring out how you will leverage threat intel in your organisation.
If you don’t feel like your organisation has the right infrastructure (yet), don’t worry. Sigler has some suggestions for smaller or newer companies later in this article.
Looking for the Right Team
“You need invest in people before you invest in a threat intel provider.”
Sigler stresses that without the right training, no amount of threat intelligence data or platform would make an effective impact in an organisation. He outlines that the right individual and team should have the following areas of expertise.
- Information Security Knowledge
This is key to understanding how to apply and use threat intelligence data. This is important, for example, when trying to improve processes based on updated malicious IP data or when detecting intrusive signals from exploit kits. Without infosec knowledge, your organisation can be at a loss on how to take advantage of new threat intel.
- Data Science and Analytics
The skill set of using and applying algorithms, advanced statistics, and general data science principles are necessary when dealing with such a large amount of data. Hundreds of billions of records need to be analyzed, cleaned and processed to discover trends and identify what’s important and what can be used as part of your current organisation’s processes.
- Programming and Database knowledge
Hard skills related to knowing and understanding databases (back-end and front-end), implementation, and more advanced subjects around machine learning are also critical. This is in addition to using querying and programming languages (such as SQL and R, which Karl notes is a popularly used language in statistical analysis and threat intelligence).
We should stress that it would be difficult finding the right team, let alone individual, with high degrees of expertise in all of these areas. Which brings us to the next area.
Incorporating the Right Training for Your Team
Data science, information security, and programming all require intensive education and training. It’s up to you as the infosec leader to assess your team, identify the knowledge gaps, and train them in the respective fields so they can better make use of threat intelligence.
Sigler has some key advice.
“Focus the training on where the gaps are and to listen to your team. It’s gotten a lot easier and cheaper to ramp up your team than before. Logistics are easier and there are a lot of online classes, whether a one-week workshop or an intensive distance learning course.”
Getting Started with Threat Intelligence
If threat intelligence is a new consideration for your organisation, it may seem intimidating, but there initial steps you can take as you onboard your team and organisation. As with any major undertaking, you need to understand your business objectives from an organisational whole and then carry out your threat intelligence procurement accordingly.
For example, your threat intelligence needs now may differ from your needs in the next 2, 3 or even 5 years. Karl provides an example.
“If your company is going to expand globally or into new territories, then the kind of threat intel data you need to collect and scrutinize will be different.”
An infosec leader also needs to scope out priorities in conjunction with the team and get an understanding of what’s possible given the company’s current infrastructure and department set up. Communicating with your team is essential here so you understand what your team can do and what training is needed to make them as effective as possible.
Once your team is properly trained, you’re ready to look for threat intel sources. Sigler suggests starting with some free open-source threat intel feeds. They offer flexibility and provide a good observational baseline for what your team and department could handle at very little cost to your company’s resources. Sigler also suggests leveraging Elastic Stack or a similar data storage and analysis platform that has the flexibility of handling many different data sources and formats.
From there, you can see how much more your team can handle and what threat intelligence data you may be missing. As you build up your threat intel sources, make sure your team is equipped to handle the information and data processing with the right training and education.
As you and your team become acclimated to the use of threat intelligence, your department will be running much more efficient and secure, benefitting your entire organisation.