The case for wider sharing of threat intelligence in 2015
(Editor’s note: In a year that began with the Target breach and winds down with the Sony Pictures hack, Ben Johnson, Chief Security Strategist, Bit9 + Carbon Black, suggests wider sharing of threat intelligence is a New Year’s resolution worth embracing.)
By Ben Johnson, Special to ThirdCertainty
Threat intelligence is hot. Everyone is talking about it, trying to produce it or attempting to leverage it. But what exactly is it? And why is it gaining so much traction?
While the actual definition is up for debate, there is a consensus in defining it as “information that provides insight into the malicious actors, tools, techniques and procedures that comprise cyber threats.” That’s a fair enough definition to work with for now.
We’re in a constant battle against cyber criminals, spies, hacktivists and nation-states. A quick glance at headlines during the last year makes that clear. The speed at which hackers iterate and pivot their tools and techniques for attacks is astounding. Blend this with the often under-staffed or messy infrastructure of enterprises, and it’s been a bleak situation for cyber defense.
Security teams, however, are fighting back and, they are doing it with threat intelligence. And it is working for several reasons:
- Threat intelligence improves feedback loops.
- It provides information about adversaries that can be obtained quickly.
- Threat intelligence offers enhanced reputational information that helps defenders score environment activity.
- Threat intelligence can be shared in larger quantities and in a more automated fashion.
- Industry communities and vendors are starting to serve the needed role of clearinghouses for threat intelligence.
- Threat intelligence provides specific attributes to look for that signify malicious intent, which reduces the frequency and duration of cyber compromises.
There is still a lot of work to be done before the nation has any sort of cyber resiliency. But the good news is that the momentum is starting to shift. Threat intelligence is shaping a new way of thinking about the problem. By overlaying intelligence about emerging and sustained threats on top of visibility into a company’s own activity, enterprises are better informed when crafting cyber strategy and developing operational posture.
A cyber defense posture should be approached with the notion of creating an individual cyber intelligence agency within a company. Tools are necessary to collect internal event activity and to create automated ways of combining external threat traits and technical indicators. And a human team using a well-designed process is essential to leveraging the various information assets.
Explore what’s out there, collect data, join industry and regional sharing collectives, and lean on vendors to help automate more of the security process. Companies would do well to rely on, and participate in, more threat intelligence sharing in 2015.