The hype cycle for Threat Intelligence is just getting going. It will soon join advanced malware, BYOD, and Big Data as terms that mean nothing because they have been poked, prodded, manipulated, and otherwise killed by vendor hyperbole. We have done a bunch of research into how to use threat intelligence (Early Warning, Network-based Threat Intelligence, and Email-based Threat Intelligence), so we get the value of benefiting from other folks’ misfortune and learning from how they were attacked. But I also know that our papers run 15-20 pages and usually fall into the category of tl;dr.
So let me point to a few posts Scott Crawford put out there. The first talks about integration and its importance for dealing with the kinds of attacks you face. The other post I want to highlight is next in that series, bringing up the sticky issue of actually integrating threat intelligence into your control sets.
It is simply this: in order for intelligence to factor into effective response, proactive defense or environment hardening, security intelligence systems must be able to send data out as well as take it in.
Intelligence has historically been positioned as a differentiator for a product and/or service, not as a stand-alone offering with its own value. That’s changing, but not quickly enough. Scott’s points are exactly right – whether you are talking about security intelligence (the new term for SIEM) or threat intelligence, the data needs to be available in a number of formats for import/export to make sure you can actually use it.
Scott doesn’t sugarcoat the ongoing concerns of operations folks or their unwillingness to allow any kind of automation to reconfigure controls and defenses. And clearly a filter needs to be applied. The stuff you know is bad should be blocked. If you aren’t sure, your layers need to come into play.
Sure, there are lots of reasons beyond the limitations of monitoring technology why we wouldn’t want to do this. Automating blocking at scale would do a little more than step on the toes of IT operations and irk our insect overlords, if what we effectively build is the Mother of All Denial of Service Vehicles that raises existing problems with false positives to an entirely new level.
But the point is the point. All that time you have spent collecting data and doing some simple analysis has positioned you to take the next step toward Scott’s concept of data-driven security. Let me simplify the issue a bit more. Having great intelligence doesn’t help if you can’t use it. That would be, well, just dumb.
Photo credit: “#dumb” originally uploaded by get directly down