Ten reasons threat intelligence is here to stay
Over the past couple of years, the volume and frequency of new malware and its variants has exploded. But it takes considerable time, effort and expertise to sift through data and transform it into pertinent information. So out with old and in with the new. To alter traditional approaches, threat intelligence emerged as a way to gather data about vulnerabilities and alter approaches based off that intel.
Threat intelligence has drastically transformed the industry. In fact, it's hard to go to a security conference without hearing about threat intelligence. However, recent articles have turned threat intelligence into quite the controversial debate and many touting that threat intelligence will do very little to improve cybersecurity. Well no offense to those individuals, but the fact of the matter is threat intelligence is not going away anytime soon.
In this article, I’ve laid out 10 arguments being made against threat intelligence.
- Argument: Intelligence feeds will do very little to substantially improve cybersecurity.
Why it’s wrong: Collective threat intelligence ensures that when attacks occur, all other users/devices/companies are protected. Cyberattacks are proliferating at such a rapid rate. Only real-time threat intelligence from a collective or shared model will result in better cybersecurity and fewer alerts for IT security staff to sift through. By leveraging everyone’s encounters with malicious activity, you greatly improve security for the collective group.
- Argument: Threat intelligence plots dots on a blank sheet of paper, and may at best connect some of the dots, but it cannot paint the larger picture.
Why it’s wrong: Threat intelligence is capable of predicting the origin of the next set of attacks on your enterprise. By correlating threat intel across platforms (web, file, mobile) future attacks can be identified based on association to other known malicious events. Suspicious IPs, URLS, applications, etc., that touch your network today, may be scouts in a cyberattack strategy designed to pinpoint vulnerabilities and exploit them tomorrow. Threat intelligence can proactively detect this behavior and automatically update the threat list.
- Argument: Most organizations are unable to add the expertise required.
Why it’s wrong: Filtering and finding the real threats from the low risk threats is a key organizational pain point. While enterprises can get awash with alerts and log files, there are solutions that manage security and policies across devices through intuitive management consoles. The heart of the issue is that threats have gotten through defenses so don’t allow your organization to rely on out-of-date published blacklists.
- Argument: No single vendor ever has a complete view of a campaign. A failure to note activity could give a client a flawed view of the picture and cause a low priority to be assigned to the threat, ultimately leaving the client no better off than before.
Why it’s wrong: Threat intelligence alerts administrators if an unknown file was installed and blocks the installation of any unrecognized program. It also automatically blocks access to systems from low reputation IP addresses and risky URLs. Blocking unknown applications isn’t necessarily for the vast majority of implementations. Instead organizations can gain awareness of what is good and still unknown and limit access to those unknown applications.
- Argument: Threat intelligence vendors operate in contrast to antivirus companies. When one antivirus company analyzes a new malware sample, those signatures are shared with peer organizations which reduce the burden for individual companies and ultimately protect the entire user community from known threats.
Why it’s wrong: While many antivirus companies share data with one another, these companies are also competitors of one another and often cherry pick which data is shared, keeping the data they know is most valuable private. The traditional antivirus model of writing signatures and deploying those en masse to devices is the cybersecurity equivalent of the Model T versus the Tesla. The vast majority of cyberattacks infiltrate and exfiltrate data in the amount of time it takes between your nightly system scans or nightly signature file updates. By eliminating the old model of signatures, which downloads and stores threat data on each device, we can simplify and dramatically improve the speed by which threat information is shared using cloud based collective threat intelligence.
- Argument: Organizations do not need the details of the attack; they just want to know they are protected.
Why it’s wrong: Organizations need to know as much as possible about a detected infection as it has a big impact on the incidence response plan. The more info you have upfront requires less time determining the cause of the attack; time which is much better spent alerting affected customers and addressing the method of the breach. The availability and open nature of today’s communications plus the exploitation by the big Internet players has meant everyone’s life can be pried into. If those who manipulate get smart, we need to get smarter.
- Argument: Threat intelligence vendors guard their research to the detriment of the wider community
Why it’s wrong: Collective threat intelligence disseminates threat data across millions of users and devices so that when any device encounters a threat, the information is shared with other users and devices through a common cloud-based detection network. While there isn’t open sharing of threat intelligence across the industry, classifying and sharing cybersecurity intelligence from millions of devices enables organizations to detect cyber threats before it reaches the network.
- Argument: Prices ensure that only those companies able to pay the hefty subscriptions get access, leaving many SMBs and critical parts of the supply chain in the dark.
Why it’s wrong: Threat Intelligence can take two general forms -- strategic threat intelligence (e.g. consulting/advisory) and operational threat intelligence (e.g. data that can be consumed by security solutions). While SMB customers could use both, operational threat intelligence is probably more relevant, as strategic threat intelligence is usually catered towards the larger enterprises or states who are targets of sophisticated and organized attacks. MSP’s are also a viable solution to the cost imposed by security.
- Argument: Networks, the solutions and resources defending them, and the data that resides on them vary greatly, and so do attacks.
Why it’s wrong: Devices that encounter new or unknown file types and processes merely need to ask a cloud threat intelligence platform if it’s been seen before and if it’s a threat. If it’s benign, let it operate. If malicious, quarantine it. If it’s brand new and determined malicious, share the information via the cloud so that other users/devices that encounter the threat can block it on sight. This is at the heart of collective threat intelligence. By leveraging everyone’s encounters with threats, you improve the overall security of the collective.
- Argument: At its best, threat intelligence might provide occasional protection from attacks. At its worst it’s an expensive source of information that bears no relevance to securing a network and could mislead decision-makers. Knowing the threat actors who are seeking to attack can be useful and so can identifying business critical data. But knowledge of other attacks is not required for that.
Why it’s wrong: The issue at hand is that we cannot let our technology get stagnant. Organizations need a layered protection approach, as well as cloud-based security technology that is designed to grow, learn and continue to evolve to combat the tactics of today’s cybercriminals. After all, the malware writers never rest. Neither should we.
All companies, whether enterprise or SMBs -- especially those dealing with proprietary information or customer data -- must balance their security resources against their risk tolerance. And ultimately look at threat intelligence solutions that provide them with the greatest scope of protection.
The only way for companies to defend themselves is by adopting a more pragmatic and intelligent threat response: stopping a compromise at the host, proactively segmenting networks, and spending the time to develop in-depth situational awareness. Otherwise, the next decade will end up much like the current.
It’s about working together to make endpoints, servers, networks and the Internet safer for all. At the end of the day, it’s not about choosing minor battles but winning major wars.
Grayson Milbourne is the security intelligence director at Webroot.