IT managers can’t maintain a strong security posture if they’re not aware of the latest attack vectors, which is why organizations are increasingly adding cyberthreat intelligence to their defense arsenals.
Threat intelligence provides information about the characteristics of current and recent security threats, such as the IP addresses, domain names and URLs used to perform attacks. Various security vendors create and maintain subscription-based online threat intelligence feeds.
These feeds supply the latest intelligence to threat detection products such as security information and event management (SIEM) systems, intrusion prevention systems (IPSs) and next-generation firewalls (NGFWs). By utilizing threat intelligence, security controls can detect threats more quickly and accurately, enabling organizations to mitigate them faster and reduce damage.
Commercial threat intelligence services include McAfee Global Threat Intelligence, Symantec DeepSight Intelligence and Webroot BrightCloud, among other offerings. There are also open-source and community-based threat intelligence feeds. For example, some Information Sharing and Analysis Centers (ISACs) offer threat intelligence feeds that are specific to the industries or sectors that they serve.
With so many options available, government IT managers might be overwhelmed when trying to choose the best threat intelligence services for their environments and use them most effectively. Keep the following advice in mind when evaluating these feeds and planning their integration and use.
Because enterprise security controls use threat intelligence to identify attacks and prioritize attack responses, threat intelligence must be as accurate, timely and comprehensive as possible. Ask these questions of providers:
States and localities can use threat intelligence services in several ways besides improving attack detection. For example, threat intelligence can be extremely helpful for prioritizing incident handling for detected attacks, if the service provides a robust scoring capability.
There’s no standard convention for threat scoring, so every service is different. Scoring can be done in many ways, but typically involves a numeric score (such as 1 to 5 or 0 to 100). More granular scores are generally preferable because they afford more flexibility when it comes to decision-making. For example, an agency that uses a 0-to-100 scale can decide to automatically block all threats with a score of 95 or higher. If that’s too broad, the agency can adjust the threshold to 96 or 97. This level of granularity is simply not possible with a smaller scoring scale.
Another important aspect of scoring is how often scores are updated. The severity of threats changes over time, particularly in the early days after a threat is first observed. Many threats come and go quickly; for example, a phishing attack may be viable only for a few hours because attackers know it will be detected and blocked quickly. A threat involving a phishing attack might initially merit a very high score, but after 12 hours, odds are that the threat is over.
The process of updating scores over time to account for changes in threats is known as aging. Without aging, scores will rapidly become inaccurate, potentially blocking benign activity and causing a partial denial of service for users.
Threat intelligence feeds aren’t helpful unless the organization’s existing enterprise security controls can take advantage of them. Some legacy security controls don’t support threat intelligence feeds at all, while others offer limited support. Limited support may be no better than no support at all because it can seriously impair the use of threat intelligence. For instance, a firewall might not have the storage or processing power to retain a large volume of threat intelligence, so it can only have information on hand for a small percentage of threats.
IT departments may need to replace their legacy security controls before adopting threat intelligence, but odds are that these products will need to be replaced anyway because they lack the sophisticated new features offered by the current generation of enterprise security controls.