Threat intelligence programs lack context experts say

SAN FRANCISCO – This week during the annual RSA conference in San Francisco, organizations from around the globe will be looking at the latest advancements on the security front.

For most attendees, threat intelligence will be this year’s topic of interest. Unfortunately, most of what’s being sold as threat intelligence isn’t very smart, and organizations are paying hand over fist for data they can find in their own logs.

In a perfect world, threat intelligence should be an analysis of a given threat based on multiple data sources, which helps an organization predict threats that align with their own threat model. But that isn’t always the case these days.

There was a consensus among the practitioners and experts that Salted Hash consulted for the stories that will run this week; most vendors aren’t selling actionable intelligence, they’re selling raw data or data feeds without context. Worse, they take a one-size-fits-all approach to their intelligence offerings.

A tragic truth, one that is rarely noted during the sales cycle, is that the vendors themselves are the ones who defined the basics of threat intelligence for the security industry. They’re the reason raw, unevaluated data feeds are considered threat intelligence.

The problem is – data that hasn’t been evaluated isn’t intelligence; it’s only intelligence after it’s been analyzed and tailored towards the organization’s threat model. So unless the public demands more, you’re going to be stuck with whatever the vendors are offering.

“Raw intelligence without analysis and relevance is not actionable,” said Pablo de la Riva Ferrezuelo, CTO & founder of buguroo Security, a threat intelligence startup coming out of stealth this year during the RSA Conference.

“To be effective, threat intelligence must be flexible and customizable for each individual client in order for them to be able to deep-dive inside the threats and better understand their origin, the distribution mechanism, the actors, the potential victims, the attack vectors, TTPs, and the data that is being accessed. Furthermore, understanding the threat details allows the client to implement their own rules and protocols within their security layers to automate their protection.”

So what is threat intelligence?

Threat intelligence is something you do, not something you own. It isn’t a product.

At best, threat intelligence will help you develop tactics to address existing threats and plan for future threats. To put it another way, it’s a data set surrounding various threats and the context needed to understand them.

But even if you have the most perfect threat intelligence out there, that doesn’t mean your security operations are a bullet proof fortress, or that the intelligence will be relevant to your organization.

Yet, there are vendors who will sell threat intelligence feeds or solutions as if they’re going to somehow “change the game” and replace existing security programs. Some go so far as to claim you won’t need a security program anymore, because “you’ll have threat intelligence.”

Despite such claims, threat intelligence isn’t a replacement for solid security basics.

Moreover, it isn’t something you can implement and expect to work at 100 percent efficiency or accuracy on day one (or day 300 for that matter). A good threat intelligence program can take months, maybe years to implement, because it has to align with the individual business and its risk model, which changes constantly as the business grows or shrinks. This risk model can also change each time the environment does, with or without change control.

Where’s the value in it?

The real value of threat intelligence is context, and few vendors, if any, actually provide that these days, said Rebekah Brown, threat intelligence lead at Rapid7.

Again, putting context on threat intelligence will allow people to make better decisions about what they’re doing, and it can help decision makers decide how to allocate their resources. Having context can help SOC and incident response teams too.

“When you have threat intelligence, you can understand when something is an isolated incident, and when something is part of a larger trend that you need to devote a lot more resources into tracking down,” Brown said.

To utilize threat intelligence properly, an organization has to understand which of the threats that are out there are actually applicable. Many threat intelligence vendors will help organizations understand their threat profile, but most of them lack the basics when it comes to a detailed understanding of their environments.

“They don’t have asset management; they don’t know what types of technology, hardware or software is running. Even if they do know that, and can understand how different threat actors are targeting those particular technologies that they use, they don’t have anything in place to remediate,” Brown explained.

What about automation?

The volume of threat intelligence that’s available to organizations, either form their own logs and sources, open source feeds, or data feeds purchased from the vendor, means that processing has to be automated in some way.

“No one person or vendor can handle every indicator and piece of intelligence. [But] it is important to make sure that automation doesn’t remove all of the context, which would lower the value of the intelligence,” Brown said.

Who are the best threat intelligence vendors?

There’s no right answer here, because a threat intelligence program has to be aligned with the business, and customized over time to help the business make informed decisions. You have to do your homework and go with the best fit.

In fact, most experts and practitioners will tell you that the best threat intelligence comes from within your own network. Your lessons learned, incidents, types of Phishing emails received, etc. When this data is analyzed, your organization can better understand what commercial or third-party sources can help you the most.

Salted Hash has teamed up with Fahmida Y. Rashid at InfoWorld to tackle the topic of threat intelligence this week during the RSA Conference. Head over to her author page to see her latest reports from the show.

Tomorrow, Salted Hash will continue its threat intelligence coverage. All this week during the RSA conference, we’ll examine various threat intelligence topics, including a look at data that comes from existing threat intelligence products, and discussions with people who use it on a regular basis.