The “fragile” state, learning about an attack when it is already underway, is the most dangerous for enterprises. Alternatively, learning about threats earlier in a hacker’s research of a target gives security professionals the agility necessary to combat an impending attack. That’s where threat intelligence services can solve the problem of gaining visibility of a threat before it arrives.
By 2018, 60% of large enterprises globally will utilize commercial threat intelligence services to help inform their security strategies, according to Rob McMillan, research director at Gartner, in Be Agile Not Fragile: Use Threat Intelligence Services to Defend Yourself with Ruggero Contu, research director at Gartner, at the Gartner Security & Risk Management Summit in National Harbor, Maryland.
Threat intelligence is:
- Evidence-based knowledge
- Including context, mechanisms, indicators, implications and actionable advice
- About an existing or emerging menace or hazard to assets
- That can be used to inform decisions
- Regarding the subject’s response to that menace or hazard
But intelligence is more than just a gathering of facts. Its strength is to go beyond the obvious, trivial, or self-evident information to correlate and analyze multiple data points. It should also include a range of information including the goals of the threat actor (whether it’s a person or malware), the life expectancy of the threat, the reliability of the information presented, and characteristics of the threat and outcomes for the organization.
Interestingly, while many vendors position their threat intelligence services for short-term, operational decisions, Gartner’s annual survey showed that 48% of users say they utilize threat intelligence services to support longer-term, strategic decisions, as opposed to 30% who utilize them for short-term purposes. Organizations should realize that threat intelligence is an important raw material for their strategic security plans. Keep in mind that certain intelligence may not bear fruit for two years, assuming a minimum 18-month cycle to implement a larger strategy/program that utilizes commercial services.
When security professionals manage incidents, they only see the clues left behind but won’t know the who, why, or how of the attack. “You don’t get to see the replay of what the bad guy did, only the wreckage of what was left behind,” McMillan says. Machine Readable Threat Intelligence (MRTI) is an example of a short-term, operational use to avoid an attack. Here, modern network devices can ingest content and make real time decisions on what to block or control. This provides a sense of agility in real time defensive architecture.
Threat intelligence can give some insight on whether the bad guys are after money, data, or just acting out of malevolence. Security professionals should consider it to make informed decisions about current threats, develop plans for emerging threats and develop agile response capabilities (e.g., with MRTI). In formulating a plan for its use, be clear about what question you need to answer and then select the right content and provider to answer that question.