Maksim Kabakou - Fotolia

Security Think Tank: Security intelligence demands getting the basics right

What is the best practice for collecting and using threat indicators from security incidents to improve defences against future cyber attacks?

According to the Ponemon Institute, 65% of firms believe threat feeds are one of the most effective tools for helping to detect breaches, yet 54% do not collect threat indicators from their own incidents for use in fighting future attacks.

The main challenge here is that firms underestimate the time, skill and effort needed to address security properly. Companies often believe buying the latest and greatest gold-plated, neon-lit appliance will just do the job for them.

I’m gradually seeing a shift from the “security is solved by security products” mentality, forced upon us by the marketing departments of behemoth network security product suppliers, to a top-down, back-to-basics approach, which of course I thoroughly endorse.

Only with the right security basics in place can the vast amount of threat intelligence data actually be of any use, and it needs to be filtered down to what is relevant to each unique organisation that uses it.

Threat feeds are indeed incredibly useful, but I suspect the Ponemon Institute statistics are a bit weighted toward organisations that actually know what a threat feed is.

I would say that less than a few hundred companies in the UK are actually doing something with threat feeds, namely those in the FTSE 250, and in turn, those in financial services. Even then, I feel fairly confident to say most of these firms will never know they are being targeted by cyber criminals, or indeed if hack attacks have been successful. 

Thus, a pro-active approach is required. Assume you have been breached; assume the enemy is already within – and then threat intel might start making some sense.

This intel might spot the tell-tale signs of intruder presence – for example, seemingly random HTTPS traffic finding its way to somewhere in China or persistent attempts from hackers trying to get your users to click on phishing emails.  

You might think you are looking for a needle in a haystack, but once you cut out all the useless data that your nice, new, shiny security products are giving you, it can be quite easy to start seeing patterns or using external threat feeds to blow most of the hay away.

Threat intel is very valuable, and it is critical you retain log files from previous security incidents so you can stop hackers from trying to do exactly the same thing again – next time you will know who they are and where they are, and can stop them in their tracks.

Can threat intel actually defend you against future attacks? Most of the time, yes. But by far the best way is to take a pro-active approach, presume attackers are already on the inside and tailor your defences from the inside out.  

No firm can ever defend against 100% of attacks, 100% of the time, but without a doubt you can create resilient systems and business processes that are 100% effective in restoring your firm to business-as-usual when the inevitable cyber attack happens.

Tim Holman is an international board director at the Information Systems Security Association and CEO at 2-sec.

Read more on Hackers and cybercrime prevention