The holidays are now behind us and we’re getting back to our routines. As we do, we start putting to use all the gifts we’ve received from family, friends, colleagues and neighbors. Each year I’m impressed by the people who always seem to nail it and find the perfect thing. It’s as if they could read your mind. They know your interests and hobbies, perhaps your favorite teams and players. They may have considered where you live – in a warm climate or cold, in the city or the suburbs. They remember your favorite color and may even add a monogram. The level of personalization is limitless, and the gift carries so much meaning.
Of course, there are the more generic gifts you receive as well. The lottery tickets from the white elephant exchange. A candle from a neighbor. Or a pair of socks from a great aunt. All useful items but usually received from someone who doesn’t know you as well or perhaps not at all. You definitely appreciate each and every present. But there’s a certain impact that a personalized gift makes.
So, what does this have to do with threat intelligence? Just like gifts, personalization makes threat data more meaningful. There’s generic threat data that includes the signature updates we get from the defenses we use every day — our firewalls, intrusion detection and prevention tools, anti-virus, web and email gateways, and endpoint detection and response solutions. Updates to these tools provide protection against the “known bad” or background noise every organization faces, but they don’t consider the industry or geographies in which your business operates. It’s kind of like that generic pair of socks that serves a purpose, but doesn’t really reflect who you are or what you need or might be most interested in.
There are also Open Source Intelligence (OSINT) sources that offer free threat data. These feeds can provide valuable insights, but they also include noise and can generate significant false positives if applied directly to your SIEM and security defenses. While this generic threat data lays the foundation for your threat operations program, limiting ourselves to these sources alone assumes that we all face the same adversaries and have the same appetite for risk. And we don’t.
The reality is that most of the risk organizations face tends to come from more targeted threats. Think about the recent wave of attacks on the energy sector, or targeted Business Email Compromise campaigns carefully crafted to look like the email is from a top executive in your organization. So, what can you do to mitigate risk from adversaries targeting your organization and infrastructure?
You need to increase the level of personalization to maximize the impact of threat data on your security operations and more effectively and efficiently protect your organization. There are several sources you can turn to.
Geographic and industry-specific data: These include national/governmental Computer Emergency Response Teams (CERTs) that develop and provide threat intelligence based both on a geography and industry so that organizations can understand and adapt to threats that are occurring locally in their specific sector. Information Sharing and Analysis Centers (ISACs) organized by industry can also prove useful as they disseminate to their members threat intelligence that concerns their sector.
Adversary and related data: Commercially available threat feeds provide updated threat data that cut across categories to get closer to the personalized type of threat data you need. For example identifying adversaries, their targets and their tools, techniques and procedures (TTPs) to help you know if you’re in their sights.
Data based on your ecosystem: You can also filter threat data based on your supply chain and other third parties within your ecosystem. Mentions of their names, brands, or sectors may alert you to adversaries and campaigns that may be actively targeting them and then, in turn, can potentially infiltrate your organization.
A central repository can help you make sense of all these different threat feeds and intelligence sources by aggregating them for analysis and action. But you still can, and should, filter out the noise and cull the data further so that it is focused on you – your tools, infrastructure and risk profile. To do this you must add context to the data, so you can prioritize it.
Your own layers of defense and/or SIEM provide a massive amount of log and event data, capturing everything that has happened within your environment. By correlating these events and associated indicators from inside your environment with external threat data, you gain additional and critical context to understand what is relevant and high-priority to your organization. You can send this curated threat intelligence directly to your sensor grid, including firewalls, IPS/IDS, routers, endpoint, and web and email security (in the case of spam) so all are synchronized and defending together. Based on your risk profile, you can act quickly upon the most relevant threats facing your organization to reduce risk now and in the future.
That personal touch makes all the difference. Next year, I’m going to try to bring that same touch to the presents I give. In the meantime, we’d all benefit from adding more personalization to our threat intelligence programs with data that is the most meaningful to our organizations.