Why threat intelligence is key to the future of cybersecurity [Q&A]
As threats continue to evolve security vendors must keep up. This means having up to date information and being able to act on it quickly.
The key to this is effective threat intelligence. We spoke to Anuj Goel, co-founder and CEO of Cyware to find out more about threat intelligence and why sharing is key to making the most of it.
BN: Why is threat intelligence sharing so important for the cybersecurity industry?
AG: Just as cybersecurity vendors innovate to drive efficiency for customers, attackers innovate as well -- evolving their methods to disrupt their targets and monetize their efforts. To stay ahead, organizations need to have up-to-date information on emerging threats, new techniques and its essential to understand how a team's defenses are built to withstand a targeted attack.
This is why the concept of sharing and intelligently collaborating around threat intelligence needs to gain more traction as a standard practice. The capability to share relevant, curated and actionable threat intelligence allows the industry to improve defenses collectively by consistently sharing actionable inputs on new attacks and threats. Actionable threat intelligence bolsters the awareness of new threats and the effectiveness of technologies deployed that ultimately enhances the cybersecurity program as a whole for an organization.
In fact, improved threat intelligence sharing has garnered significant attention as an integral part of an effective cybersecurity strategy that President Joe Biden signed an executive order in May advocating for more of it. The EO specifically took aim at the United States' cyber weaknesses and was ultimately designed to bolster threat sharing between the government and private enterprises.
The bottom line? Cybersecurity is a team sport -- where it's the industry vs. attackers. When the industry works together to make each other better and more effective, defenses will improve and assets can be more adequately protected across the board.
BN: What does threat intelligence sharing enable the industry to accomplish?
AG: Threat intelligence has a short shelf life. By continuously sharing updated, new intelligence about how organizations are being targeted by attackers, it allows the industry to work towards achieving collective defense -- where all stakeholders consistently have up-to-date information about attack vectors and can take decisive actions.
This often looks like blocking malicious IPs or URLs based on information another entity shares with your security team in relation to a recent attack campaign -- or some other specific strategic steps. Being able to take proactive and decisive action allows security teams to up-level themselves as true business enablers by proactively protecting the business.
BN: How has the threat landscape shifted over the past decade?
AG: Overall, the threat landscape has evolved significantly over the past year, more so than the previous nine, to a point where targeted attacks are disabling critical infrastructure, as well as global systems that power the world’s largest companies. This is significant because previously, companies were worried about protecting data so that PII, financial records and even EHRs weren’t leaked and/or sold on the black market.
The introduction of ransomware attacks seven years ago has proliferated the disruptive capabilities of attackers by enabling them to target companies and seek payments for releasing encrypted files and systems. Recent attacks have demonstrated they can influence a damaging impact on supply chains by disrupting critical public services or utilities. It's now clear that organizations have to understand a broader risk landscape beyond their own organization, and understand the potential risk and attack paths that could be exploited based on the digital connectedness to partners, customers, suppliers and vendors in shared systems. Furthermore, the Colonial Pipeline attack has demonstrated how consumers could be impacted when critical infrastructure entities are under attack. In other words, other organizations' vulnerabilities could become problematic for another given organization or consumers unknowingly.
BN: What does a modern threat intelligence sharing model look like?
AG: Every security program should be pushing towards modernization, meaning that more automation of threat data should be viewed as a top priority by CISOs and their teams. The adoption of more SOAR technology is pivotal for a maturing cybersecurity team so that it can automate threat response to eliminate manual investigation efforts that take up analyst time, cause burnout across the team and contribute to human error. SOAR solutions aid in overcoming various issues that lead to teams missing critical data or not being able to effectively update, monitor, and patch current systems in a timely fashion based on the level of intelligent automation.
As organizations up-level how they leverage people, processes, and technologies to defend against attacks, it’s important that they understand all technology investments should also be able to contribute information in a more automated manner toward the ultimate goal -- which is enabling intelligent threat response. By proxy, updating to a more current and automated security flow, resource-strapped teams will find ways to automatically consume information from their sharing communities (ISACs, ISAOs) and potentially automate intelligence back into them.
BN: How can organizations make threat intelligence more actionable?
AG: The key to making threat intelligence actionable is first having the capability to ingest it, curate it, share it, consume it and disseminate it in a way that frankly has not been a focal point within the cybersecurity market until now. And every SOC team needs a way to then correlate and orchestrate this intelligence with other tools deployed.
However, most organizations have siloed functions within the broader team and across the security program. Next-generation approaches to cybersecurity should aim to unify all security functions including threat intelligence, security automation, threat response, security orchestration, and incident response into a connected unit. This will create the capability to coalesce all comprising units for detecting, managing, and responding to threats in an integrated and collaborative manner.
We are talking about Cyber Fusion -- a concept and enhanced cybersecurity model that orchestrates people, processes, and technologies to boost threat intelligence, accelerate collaborative incident response, and reduce incident costs and risks. This is accomplished through the automated and streamlined ingestion, analysis, and sharing of strategic, tactical, technical, and operational cyber threat intelligence with internal security teams and external sharing community partners in real-time.
By integrating threat intelligence analysis with threat response, hunting, automation, and security operations, organizations are then able to connect the dots between disparate security threat patterns and deliver a collaborative response driven by unprecedented context. This is a clear example of how technology and the right information can up-level the abilities of security professionals.