Threat Intelligence: Just a Buzzword or Real Value?25th of October 2017
Opinion by Tom Madsen, Security Advisor
Threat Intelligence. This seems to be a subject that everybody is throwing around with great abandon. There are as many opinions on what it is, as there are vendors who would like to get in on the action surrounding it. So, let’s try to define what is meant by threat intelligence. Threat intelligence is collecting and refining information from various sources, and analysing it to gain insight into current and potential attacks, which can threaten an organisation.
“Collection of information from what, and where?” you might ask. “Which sources can provide the best information?”. And here is one of the major issues with a lot of the vendor solutions that are focusing on threat intelligence. Numerous systems and software provide loads of information, but getting the right kind of information and utilising it for real threat intelligence, is not an easy task.
The information needed for threat intelligence has to be collected from external sources, in order to provide predictive capabilities – it cannot be solely based on a source within an organisation. So, any vendor who tries to sell a log management solution as a tool for threat intelligence, is not being completely honest. An argument can be made that a log management solution can be used to collect intelligence from internal systems, but threat intelligence is aimed at providing warnings about threats that will target a given company in the near future. Not threats that are already inside your network. This kind of information requires sources in the underground, as well as sensors all around the world. By sources, I mean the classical cloak and dagger kind of sources: as in people that collect information from peers that are hanging out with various black hats on the dark web. Having sensors spread around the world gives the company with these sensors the possibility of seeing attacks in one part of the world, and warning customers in another about this new attack before it hits them.
On top of these considerations, different industries should be focusing on different areas of threat intelligence. A bank has no interest in intelligence that relates to threats against SCADA systems, and a manufacturer has no interest in specific threats against the financial sector. Needless to say, these issues make it difficult for the companies that are collecting threat intelligence to disseminate the relevant information between the right customers. Simultaneously, it is equally difficult for the customers to choose the right threat intelligence vendor, since various vendors have different focus areas for collecting threat intelligence.
Threat intelligence will become a bigger focus area for many companies and vendors in the next few years. Continuously changing attack methods and vectors, and the professionalisation of the attackers, mean that reactive solutions are no longer viable in defending against these threats. Knowing the types of attacks that are on the horizon makes it possible for companies to prepare and mitigate threats coming down the line.
Want to know more about the threat landsape? Join our free event in Copenhagen on the 16th of November.