Integrate and consolidate your threat intelligence
Businesses may subscribe to a host of threat intelligence feeds, but are they making the most of that data, asks Rene Bosman, manager at Infoblox Africa.
Ineffective threat intelligence management leads to poor incident response and can even slow remediation. Rene Bosman, manager at Infoblox Africa, says: "Security teams rely on threat intelligence as part of a greater cyber security strategy. The problem is that all too often, these streams of intelligence are disjointed and siloed."
Threat intelligence is evidence-based knowledge about an existing or emerging cyber threat and can guide decisions on how to respond to that threat. Threats can come from internal or external sources, examples of which are malicious IP addresses, host names, domain names and URLs.
There is enormous pressure on organisations to manage cyber threats and pre-empt potential attacks and the accompanying data loss. Bosman explains: "There's a lot of threat intelligence out there about potential threats or hazards to your cyber security stance. In the past couple of months, it's become very apparent that almost all businesses have several sources of threat intelligence coming into the company, with no effective way to manage and consolidate all of these feeds."
Businesses acquire their threat intelligence through feeds in either a direct or indirect way. Direct sources include purchasing the feed directly from a threat intelligence source that provides this type of data to help companies keep their security systems up to date against all sorts of cyber attacks. Indirect sources of threat intelligence information are when a company purchases a security solution (such as a firewall or endpoint security) that comes standard with threat intelligence feeds included as part of the package.
As a result, companies find themselves with dozens of threat intelligence feeds that need to be effectively managed and integrated so the various security solutions deployed to defend the business can learn from one another.
Bosman says: "One area of weakness that we're still identifying is around the DNS. Businesses really need to deploy a consolidation platform that provides comprehensive, network-wide visibility into their security state. They need to be able to consolidate a number of threat intelligence feeds from various third parties and share that across multiple platforms. We see DNS as the number one threat attack vector for malware today; around 91% of all malware is using DNS to carry out its campaigns."
Not only will this enrich other systems' data around attacks, it can also enrich other security solutions (like firewalls, access control, etc). Another benefit is that all of the threat intelligence data can be exported to a security information and event management solution to provide an overview of all of the threat intelligence that comes into the company, enabling it to respond as quickly as possible to potential threats.
"It's critical that businesses examine their threat intelligence feeds to determine whether some of the feeds overlap, as they can achieve cost savings by identifying and eliminating duplicated feeds. It'll also improve operational efficiency by reducing the amount of threat intelligence data that potentially has to be sifted through."
Bosman says enterprises are starting to realise there are gaps in their threat intelligence, particularly around the DNS, and especially when it comes to data exfiltration types of attack. He says: "Earlier this year, one of South Africa's leading financial services providers lost a large amount of client data in an attack that was the perfect example of where the DNS was possibly an unaddressed item in that company's security stance.
"It's critical that companies start to look into malware- and DNS-based attacks because they're still extremely under-protected on that front. We recommend that all businesses do a security assessment on their DNS to identify possible malware that is doing data exfiltration and, even today, infiltration."
He says he expects to see more localised and industry-specific threat intelligence feeds coming through over the next three to four years. "Currently, companies subscribe to a one-size-fits-all threat intelligence feed, but I think we're going to see region- and sector-specific feeds that are relevant to cyber attacks targeting certain industries or geographical territories. So, for example, the financial services sector in Africa would have its own threat intelligence feeds, which will help users to further remediate cyber attacks a lot faster."
Finally, we leave you with some telling statistics from the Ponemon Institute's 2017 Third Annual Study on Exchange Cyber Threat Intelligence:
* 66% of survey respondents felt threat intelligence was not timely;
* 41% of survey respondents felt threat intelligence was too complex to ensure ease/speed of use; and
* 37% of respondents lacked context for threat intelligence to make it actionable.
Read more about how you can take a more integrated approach to cyber security here: https://www.infoblox.com/solutions/cybersecurity-ecosystem/.