IT managers can’t maintain a strong security posture if they’re not aware of the latest attack vectors, which is why organizations are increasingly adding cyberthreat intelligence to their defense arsenals.
Threat intelligence provides information about the characteristics of current and recent security threats, such as the IP addresses, domain names and URLs used to perform attacks. Various security vendors create and maintain subscription-based online threat intelligence feeds.
These feeds supply the latest intelligence to threat detection products such as security information and event management (SIEM) systems, intrusion prevention systems (IPSs) and next-generation firewalls (NGFWs). By utilizing threat intelligence, security controls can detect threats more quickly and accurately, enabling organizations to mitigate them faster and reduce damage.
Commercial threat intelligence services include McAfee Global Threat Intelligence, Symantec DeepSight Intelligence and Webroot BrightCloud, among other offerings. There are also open-source and community-based threat intelligence feeds. For example, some Information Sharing and Analysis Centers (ISACs) offer threat intelligence feeds that are specific to the industries or sectors that they serve.
With so many options available, government IT managers might be overwhelmed when trying to choose the best threat intelligence services for their environments and use them most effectively. Keep the following advice in mind when evaluating these feeds and planning their integration and use.
Always Evaluate Quality
Because enterprise security controls use threat intelligence to identify attacks and prioritize attack responses, threat intelligence must be as accurate, timely and comprehensive as possible. Ask these questions of providers:
- What methods are used to generate the threat intelligence? A rich combination of methods generally provides a more complete picture of threats. Full coverage is unrealistic, but it is reasonable to expect a major vendor to monitor most of the Internet through global deployment of sensors.
- How often is threat intelligence updated, how do vendors deliver these updates to customers, and how much of a lag is there between discovery and threat intelligence dissemination? Each of these should be a few minutes at most.
- What metadata is provided with the intelligence? Examples include scores for judging the relative seriousness of each threat, and threat categories for differentiating different types of threats from each other for prioritization. Metadata can be incredibly important for getting more value from threat intelligence services.
Score and Prioritize Threats
States and localities can use threat intelligence services in several ways besides improving attack detection. For example, threat intelligence can be extremely helpful for prioritizing incident handling for detected attacks, if the service provides a robust scoring capability.
There’s no standard convention for threat scoring, so every service is different. Scoring can be done in many ways, but typically involves a numeric score (such as 1 to 5 or 0 to 100). More granular scores are generally preferable because they afford more flexibility when it comes to decision-making. For example, an agency that uses a 0-to-100 scale can decide to automatically block all threats with a score of 95 or higher. If that’s too broad, the agency can adjust the threshold to 96 or 97. This level of granularity is simply not possible with a smaller scoring scale.
Another important aspect of scoring is how often scores are updated. The severity of threats changes over time, particularly in the early days after a threat is first observed. Many threats come and go quickly; for example, a phishing attack may be viable only for a few hours because attackers know it will be detected and blocked quickly. A threat involving a phishing attack might initially merit a very high score, but after 12 hours, odds are that the threat is over.
The process of updating scores over time to account for changes in threats is known as aging. Without aging, scores will rapidly become inaccurate, potentially blocking benign activity and causing a partial denial of service for users.
Integrate Threat Intelligence and Security Controls
Threat intelligence feeds aren’t helpful unless the organization’s existing enterprise security controls can take advantage of them. Some legacy security controls don’t support threat intelligence feeds at all, while others offer limited support. Limited support may be no better than no support at all because it can seriously impair the use of threat intelligence. For instance, a firewall might not have the storage or processing power to retain a large volume of threat intelligence, so it can only have information on hand for a small percentage of threats.
IT departments may need to replace their legacy security controls before adopting threat intelligence, but odds are that these products will need to be replaced anyway because they lack the sophisticated new features offered by the current generation of enterprise security controls.