These days, there is simply too much threat data for security teams to effectively determine what is important and what is not. In order to overcome this problem, the way threat intelligence is handled needs to change. Collecting data for the sake of having it is a waste of physical resources, and sifting through the noise looking for signal can be an enormous drain on human resources. Threat intelligence involves collecting data, but it is about so much more than that. It is about dealing with collected data in an efficient, effective, and intelligent way.
The Importance of History
One of the ways in which threat intelligence differs from many current security frameworks is its emphasis on the importance of historical data. Too often, once a threat has been neutralized and measures have been taken to prevent its re-occurrence, the relevant data is discarded. But that historical data can be a gold mine of information that can inform future responses to new threats as they occur.
The Big Data Problem
The most pervasive issue facing today’s security teams is the prototypical big data problem. The sheer volume of threat data generated is too much to be dealt with through traditional means.
One of the simplest ways to cope is to simply reduce the data set. Not all data is equally important, and not all data is equally likely to be targeted. By sorting threat data in terms of the resources it applies to, large sections of that data can be removed from the list of immediate priorities. Identifying important resources helps ensure that threat data is pertinent.
Another way to reduce the data set is to realize that trying to detect malware is a fool’s errand. By the time a malware signature is known and the threat has been dealt with, it is usually too late. It is not malware that needs to be detected, but mal-actions. Certain behaviors on the network are what analysts need to look for, and it is these behaviors that will produce actionable data.
In order to ensure that threat data is both pertinent and actionable, however, it is vital to be as familiar as possible with the network environment. In order to prioritize threat data a business must first rank resources by importance, then determine the most likely lines of attack. This generally means performing a full risk assessment.
Sharing is Caring
That being said, looking for malware signatures is not totally without merit. Doing so is just of limited utility when used only within the confines of a single organization. Signatures only become truly useful when they are shared between organizations. The chances of one organization being hit by the same attack multiple times are much lower than the chances of multiple organizations being hit by the same attack. Sharing of non-sensitive threat data allows an organization to protect itself against threats it hasn’t yet seen.
In order to cope with the sheer volume of threat data available to a modern security team, it is necessary to rethink threat intelligence. By keeping historical data in mind, sharing resources where possible with other organizations, treating threat data like any other big data problem, and performing a thorough risk assessment, it is possible to deal effectively with an otherwise insurmountable problem.