SAN FRANCISCO – Salted Hash has been covering the topic of threat intelligence from the show floor during the RSA conference all week. Today's post will feature a Q&A on the subject with Brian Martin, Director of Vulnerability Intelligence for Risk Based Security.
Salted Hash (SH): In your opinion, what is threat intelligence?
Brian Martin (BM): Threat Intelligence is a nebulous term that seems to be fueled by marketing.
It has become this encompassing blanket of any form of information that might be related to a threat. One of the biggest problems is that the threat may be to other people, not your organization. When the data is collected, validated, and put with context, it begins to have value to some organizations, not all of them.
SH: Do organizations need a threat intelligence program?
BM: That really depends on how you define threat intelligence. If you include the threat of malware and vulnerabilities, absolutely. If you use the term in a more abstract sense as many companies tend to where the data focuses on high-end actors (e.g. nation states) and extremely fine targeted campaigns, then no.
Companies need to understand what type of threat data is out there, determine which will benefit them, and then push vendors to show how that data will directly help the organization. That must go beyond 'knowledge is power' and embrace a very familiar slogan; 'knowing is half the battle'.
The other half is figuring out how to use that data to enhance a security program, reduce the attack surface, or better prepare for incident response handling should the threat come to life.
SH: How does an organization know if threat intelligence is right for them?
BM: Threat intelligence is 'right' for an organization when there is a very simple, easy-to-understand link between the data they are receiving, and how they can use it to quickly improve their security. In the scope of vulnerability intelligence, this means patching machines to known vulnerabilities.
In the scope of "threat actor" data and a report about some skilled group targeting very specific types of organizations or governments, it likely has no value beyond 'fun reading' to a majority of organizations. Security personnel must ask themselves, 'How do I leverage this to stop bad people doing bad things to my network?'
SH: What are some questions an organization needs to ask a threat intelligence vendor before purchasing a feed or product?
BM: The simple question to ask, and sometimes the hardest to get a straight answer to, is 'How will this data directly benefit OUR organization?' Emphasize the answer must be specific to the organization in question, not what other random companies or agencies are doing with it.
SH: What are some examples of threat intelligence that organizations likely already have, but don't realize it?
BM: The data they find in the logs across systems is a wealth of information. Correlating that information and turning it into actionable information is always a challenge.
Modern SIEMs do a relatively good job of that and begin to show an organization what is happening to them. This data will be a cornerstone of a good security program as it is entirely applicable to them, where threat intelligence feeds are often marginally applicable.
SH: What are some basic types of threat intelligence organizations should be looking for?
BM: Every organization should have some form of malware intelligence. This can be as simple as getting routine updates for anti-virus/malware software installed on endpoints. We all know it isn't going to stop everything, but it has value in that it does stop a considerable amount.
Organizations should have a reliable and broad stream of vulnerability coverage. While most are quick to patch Windows, Adobe, and Oracle, there are thousands of other software and hardware installations within the organization, many with vulnerabilities. Vulnerability intelligence that carries some form of scoring system to establish risk allows an organization to prioritize the patches.