Maksim Kabakou - Fotolia

Security Think Tank: Threat intelligence feeds not for everyone

What is the best practice for collecting and using threat indicators from security incidents to improve defences against future cyber attacks?

Before an organisation can apply threat intelligence and make productive use of threat indicators, they have to be at a certain level of operational maturity. Threat intelligence feeds are not necessarily suitable for every organisation. They benefit businesses that have the capacity to react to the intelligence.

Before signing up for threat intelligence and monitoring in real time, an organisation has to have its operational security practices running as a reasonably well-oiled machine. They need to have security systems they can monitor and change control around critical pieces, as well as strong understanding of how the operational controls interact with each other.

That maturity is built from tools, skilled people and processes. An immature security organisation that adopts threat intelligence feeds, and starts reacting haphazardly, is its own kind of risk to the business.

Organisations that do not use threat intelligence, however, are not necessarily asleep at the wheel – they may have other, more suitable security controls in place.

Security controls come in a few flavours:

  • Preventative – stopping the threat from doing something;
  • Detective – spotting the threat trying and maybe succeeding;
  • Corrective – post hoc fixes that minimise the impact of the threat’s efforts.

Some organisations choose corrective approaches instead of detective and preventative. Others prefer to manage their risks in non-technical ways, such as through contracts, service level agreements, litigation, insurance or financial mechanisms.

Threat intelligence is best applied when a firm wants to apply technical controls to a certain kind of risk. The firm needs security controls to adapt, react and flex in real time to the changing technical landscape. Security is complex and not every security control or technique makes sense for every firm. It would be a mistake to conclude: “X is good; business Y does not use X, therefore business Y is not as good as it could be.”

Organisations that benefit from threat intelligence are those that already have a fairly mature incident response and operational security capability.

Firms would need to be monitoring applications, networks and server instances already. They would need to have good practices around their operational procedures so they can make adjustments, roll back adjustments and monitor the impact of changes, for example. These need to be in place to effectively make use of threat intelligence.

We can use shipping as a metaphor for software security, and traffic information as a metaphor for threat intelligence.

A shipping company’s job is to get packages from point A to point B in a timely way without losing them. Shipping firms can get tools that provide real-time traffic information. Unless a firm can account for all its vehicles in real time, communicate route changes with its drivers and assess the impact of diversions, that real-time traffic information is not very useful. Firms cannot do much with information such as “massive backup at J12 on the M25”, unless they have a pretty mature handle on their shipping fleets.

The same is true of threat intelligence. A firm has to be mature in knowing what is running where, what is vulnerable to what and how to compensate for a threat. The reality is that some organisations are better able to use it than others. For some, it is not the biggest fish they have to fry in their security ecosystem at the moment.

Threat indicators are just one tool of many that an organisation should have in place. It is important to have security processes in place beforehand to make the most of them. This includes properly trained and educated staff, a resilient network based on securely designed applications and operational readiness. Without these foundations, threat intelligence will ultimately have limited effectiveness.

Paco Hope is a member of the (ISC)2 Europe, the Middle-East and Africa Advisory Council and principal consultant at Cigital. ...................................

Next Steps

Read more on IT risk management