Threat Intelligence: Knowledge is Power

Tuesday, May 26, 2015

Lisa Huff


Organizations have made massive investment in a variety of security solutions over the years. It is important to understand what investments that have made in security technologies in order to understand the success and possible challenges that they face.

The initial focus was to secure the perimeter and to invest in firewall, and intrusion detection systems and secure the endpoint by investing in anti-virus solutions to protect the user base.

The issue with Firewalls and IDS systems is that they need to be continuously updated and require lots of human intervention and have no visibility into unknown or zero day attacks.

The issue with AV solutions and scheduled scanning is that they typically miss malware threats that are stealthy in nature. While these technologies are still must haves as part of and organizations security portfolio, their focus is on known attacks but they have no visibility into new or unknown attacks.

What followed was the massive investment in SEM/SIM/SIEM solutions. The problem with these solutions even up till today, is that customers are not properly prepared to take on large scale deployments because of a lack of defined processes more important the lack of trained people to support them.

Finding the needle in the stack of needles continues to be a major issue with SIEM solutions. In addition, SIEM is only as good as the level of auditing and logging of the reporting devices/systems.

Those same systems require human intervention to keep them current but they also lack the visibility of emerging threats which can impact the value of SIEM. Organizations now realize that perimeter defense and feeding logs into SIEM are lacking and are now investing in solutions that focus on post prevention/post compromise.

When the focus shifts to post prevention, having a forensics capability is important and an understanding of what additional data may be required to answer the question of how bad is bad. Customers are now asking questions such as how was I attacked, when did it happen, is it still happening and most important who attacked me.

Many post prevention solutions focus on Advanced Persistent Threat. These solutions focus on advanced targeted attacks and advanced malware.

These advanced attacks are designed to bypass the traditional signature based solutions (mentioned above); which often require user intervention (a “people” issue) to keep them up to date and are only effective when the threat is known.

One example of an Advanced Threat Solution that customers have begun to implement over the last few years is Network Forensic Full Packet Capture (FPC) solutions.

These solutions have been implemented over the last few years in an attempt to combat advanced persistent threats by collecting and performing deep packet inspection on every packet that enters and exits the network.

These solutions are great but require a lot of storage if one is to leverage the data for both real-time and forensic analysis.

In addition, FPC solutions require the analyst (people) to have a thorough understanding of their network environment in order to establish a baseline of known good and that baseline will need to be updated as new threats emerge.

In addition, the analyst must have a deep understanding of indicators of compromise that could alert them of the unknown threats and advanced targeted attacks and the various techniques that are used.

Another example of an Advanced Threat Solution that customers have made investments in are Advanced Malware Detection solutions that often include sandbox/simulation technology.

These solutions are built to handle a high volume of data and if there is something unknown it will be sent to the sandbox environment for further analysis. These solutions are not bullet proof and the analyst must wait for the results of the analysis before action can be taken.

There is also no guarantee that what was found in the simulated environment will directly map to the production environment.

In addition, the intelligence that powers these solutions relies heavily on what is gleaned from the vendors install base. There are other solutions that customers have invested in but I wanted to point out some of the more popular solutions.

Successful technology deployments have center-around a balance of people, process and technology. In many cases, the issues customers have faced over the years have centered-around people and process.

Organizations have struggled in the past with having enough people and the proper processes in place to ensure that the mean time to remediation when a breach occurs is as short as possible.

Many of these security solutions require full time resources dedicated to the upkeep and maintenance of each solution. Considering the ever-changing threat landscape and the need to perform forensics post compromise, organizations must continue to invest in training of their security teams.

Another way to educate security teams is to add Threat Intelligence to enhance visibility. Having early indications of potential threats before they get to compromise is another way to keep security teams better informed. Automated live threat intelligence could help shorten the time it takes to identify potential threats and potentially minimize the frequency of security incidents.

Given the investments that customers have made in security solutions to date, adding Threat Intelligence into the mix is the next logical step.

Live Threat Intelligence can provide security teams with pivotal information about potential threats and provide insight and motivation behind some of the more targeted attacks which security teams need focus on first.

Gone are the days when you implement a solution and wait for them to alert you of a potential threat and begin incident response. Organizations need to take a proactive approach to incident response.

Adding Threat Intelligence into existing processes could improve monitoring and once the threat intelligence data source is trusted, the data could be used to perform active inline blocking in order to capture potential threats before compromise.

This was cross-posted from the Dark Matters blog.

Budgets Enterprise Security Policy Security Awareness Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.