http://www.informationsecuritybuzz.com/5-myths-about-threat-intelligence/



Monday, 20th July 2015 | 1:23:45 PM




5 Myths about Threat Intelligence

A. N. Ananth on July 20, 2015

In the spirit of The Washington Post’s regular column, “5 Myths,” here is
“a challenge to everything you think you know” about Threat Intelligence.



You may already know that cyber threat intelligence from both internal and
external sources can provide value when it is researched, analyzed and
disseminated correctly. The benefits include:

·         Changing an organization’s security model from reactive to
proactive

·         Shrinking the security alert problem that is overwhelming most
security teams

·         Driving better, more informed responses to security incidents

·         Extending the life of aging security technologies and turbo
charging new defenses by feeding them real-time intelligence updates to
enable blocking of rapidly emerging threats

·         Enhancing communications between the security team, management
and board members

·         Driving better investment strategies and more directly connecting
security priorities with business risk management priorities

Marketing departments would have you believe, it’s easy.  Just sign this
Purchase Order and the magic happens. Here are 5 myths about Threat
Intelligence.

1.    *You can buy it*

Actually you can only buy threat data feeds. Converting this “data” to
intelligence requires many steps. You have to collect data from your
network, match against the threat data feed, examine matches for validity,
weed out false positives, investigate the remainder and apply remediation.

2.            *More expensive is better*

This one is obvious – only if it is relevant to your needs. For example, a
high quality feed about threats that your organization does not face is not
very useful. For example, is it meaningful to you to get great intel on the
threat landscape local to Uzbekistan? Not unless you have network assets
there. Most feeds cover specific activities, technologies, and industries.
Just because they are high quality, it doesn’t follow they are useful to
your organization.

Also ask the question if you can actually use what information is provided.
For example, a feed that updates by the minute requires that you be able to
act immediately on notification. However, if you can only act the following
business day (lack of dedicated staff?), then why pay for the real time
update?

You may have heard “the best things in life are free.” It can be true in
the case of Threat Intel feeds.

3.            *It’s a one-time cost*

See the answer to #1 above. Feed data updates regularly. Applying it to
your local environment is also a continuous process. The one-time cost is
to buy a subscription to a data feed. Security, you may have heard, is a
process, not a project.

An easy comparison is to vulnerability scan results. Users of such products
will quickly recognize that one must carefully tune the tests that the
scanner runs to avoid disrupting or crashing some products (one just can’t
enable a test against all endpoints). Further, many results must be masked
because they cannot be remediated for good reasons and a compensating
control may have been applied. These are all ongoing costs.

4.            *The benefits are automatic *

Actually no. In order to get benefits from threat intelligence feeds, a
series of steps must be completed as outlined above, mostly in the area of
tuning the feeds to eliminate false positives. Most Intrusion Detection
System (IDS) users will recognize this problem easily. Enable an IDS with
all available data feeds and you will get bombarded with false positives,
and likely get depressed that the process is not “automatic.” Obtaining
value from such feeds requires attention and tuning.

5.            *It’s easy to use*

While threat intelligence may be easy to incorporate into any product, by
itself it’s not inherently “easy to use.” That depends on the device that
is using threat intelligence. For example, many Next Generation Firewalls
(NGFW) offer subscriptions to threat intelligence.  They update themselves
and take the configured action (report or block undesirable traffic).
However, it is still up to the administrator to review these alerts for
correct behavior. Administrators of anti-spam devices or proxy servers will
quickly recognize this. Those devices also incorporate threat intelligence
but require review for proper functioning.

Threat intelligence is a crucial need for any organization, but it isn’t a
one-size-fits-all proposition, nor is it a plug and play way to secure
data.  Businesses and their IT teams must understand that security is a
process, one that is grown out of attention to need and should come
complete with an administrator to oversee  anomalies.  Once organizations
better understand this fact, we’ll be well on our way to data security.




__._,_.___
 ------------------------------
Posted by: "Beowulf" <[email protected]>
------------------------------


 Visit Your Group
<https://groups.yahoo.com/neo/groups/grendelreport/info;_ylc=X3oDMTJmNXZqbmJjBF9TAzk3MzU5NzE0BGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDdnRsBHNsawN2Z2hwBHN0aW1lAzE0Mzc0MTMxMTI->


 [image: Yahoo! Groups]
<https://groups.yahoo.com/neo;_ylc=X3oDMTJlb3VtNjVlBF9TAzk3NDc2NTkwBGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDZnRyBHNsawNnZnAEc3RpbWUDMTQzNzQxMzExMg-->
• Privacy <https://info.yahoo.com/privacy/us/yahoo/groups/details.html> •
Unsubscribe <[email protected]?subject=Unsubscribe>
• Terms of Use <https://info.yahoo.com/legal/us/yahoo/utos/terms/>

__,_._,___

-- 
-- 
Thanks for being part of "PoliticalForum" at Google Groups.
For options & help see http://groups.google.com/group/PoliticalForum

* Visit our other community at http://www.PoliticalForum.com/  
* It's active and moderated. Register and vote in our polls. 
* Read the latest breaking news, and more.

--- 
You received this message because you are subscribed to the Google Groups 
"PoliticalForum" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to