Maksim Kabakou - Fotolia

Security Think Tank: Addressing the gap between security data and intelligence

What is the best practice for collecting and using threat indicators from security incidents to improve defences against future cyber attacks?

It is clear there is a disconnect in organisational security when it comes to using threat indicators effectively. While businesses acknowledge there is definite benefit from using indicators to help detect breaches, the proportion collecting this kind of data is small by comparison.

Most of the monitoring is externally focused. This is possibly due to the pervading belief that all threat is external, so those who are collecting data may only be collecting and using outward focus or perimeter-based data, if they are using it at all.

A lot of threat comes from our own users, in many cases due to poor or absent training or poor policy and process. This is often missed and events then escalate until a breach occurs. In fact, the culture of security dictated by the boardroom frequently leaves a lot to be desired.

According to BT research, nine out of 10 US IT decision makers can measure their return on investment (ROI) on cyber security spend, compared with two out of 10 in the UK.

Finally, there are also insiders who are trying to steal or access data or cause damage and are therefore a threat.

If we solve all of the issues in terms of culture and awareness, we are left with the remaining challenge of resource.

Creating large-scale data from a variety of sources sounds great, but the gulf between data and intelligence or insight is actually more like a chasm. You need skilled teams available to combine, interpret and report results in a meaningful and actionable way. If you can’t do this, then you are wasting time and money in paying lip service to a process that sounds great, rather than embracing it and using it as a business enabler.

When considering investment into threat intelligence, analysis and reporting needs to be factored in and correctly implemented.

Threat intelligence sources should come from internal, external and shared or community-type sources – which can be internal or external – such as warning advice reporting points (Warps), for the fullest dataset and threat landscape appraisal. 

Data or logs returned from firewalls, controlled-access network areas, door entry systems, intrusion prevention systems (IPS), security information and event management systems (SIEMs) and anti-malware, for instance, can all offer a contribution to intelligence on insecure or suspicious internal behaviours and threats. This could include attempts to access controlled network areas or unsuitable sites or materials, as well as evidence of inappropriate log-in times, or even using corporate networks for illegal purposes.

External sources can be open-source reports and surveys. Some of these will be compiled using volunteered data on breaches and will provide actual incident information, as well as opinion or perception. Warps are useful real-life threat intelligence providers and can be groups of businesses or organisations – or can work in organisations – sharing information, results and best practice for the benefit of the whole group.

Combining data from business systems and software, external sources and Warps will require skilful analysis, but support the roadmap for what to prepare and look out for next.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more on IT risk management