by Geoff Grindrod
Cyber Intelligence can broadly be split into three distinct areas: collection, analysis and response. The most important aspect of collection is relevance. Threat Intelligence is not actionable, unless the data is relevant to the organisation’s needs.
Before purchasing or investing company resources integrating, storing and processing a given source of threat intelligence, which can be expensive and time consuming, you should know how useful it is going to be to your organisation based on its business needs. This is not something that you want to find out about afterwards.
Some considerations of relevance include:
- Hardware, software, O/S that are predominant in your organization
- Timeliness – how quickly is a given source of threat intelligence updated/refreshed?
- uniqueness – how much does this source overlap with another source? Are the two sources unique enough to justify duplicate investment?
The team that is assigned to evaluate threat intelligence sources should understand the right questions to ask of the vendor based on the organizations business needs.
For instance, when considering O/S as one factor, spending a large amount of budget on a feed of exploits that largely affect the Windows platform might be a problem, if your organisation is now predominantly Mac OS, or has intention to migrate to this platform within the next few months.
Another example might be spending considerably on a feed of vulnerabilities that largely already exists as an open source of threat intelligence (OSINT) sponsored by a government agency. So the key challenge here would be understanding how unique the data being provided by the vendor is, vs. what is publicly available.
O/S and uniqueness are just two considerations of many.
Without understanding your organisation’s needs, and all of the factors that should be considered to properly evaluate a given source of threat intelligence, you are basically wasting time and money purchasing, storing and processing “buckets of indicators” which could be useless to your organisation.
Also, when selecting sources of threat intelligence, multiple sources is a healthy strategy. Don’t just go with one source. For instance you might choose 1-2 commercial sources, along with several open sources of threat intelligence. This can help your security teams better corroborate, validate and enrich data that they are seeing in the field, which will in turn allow them to make better decisions, more quickly.
Geoff Grindrod is Director of Threat Intelligence Services at Trend Micro
More information on threat intelligence, attack detection and commercial opportunities: NED Forum: 30th January 2015, London