Automating threat intelligence

Terrence Driscoll at Cyware explains how automation can bridge the threat intelligence capability gap

 

In recent years, threat intelligence (TI) has become increasingly integrated into the cyber-security strategies of organisations worldwide. Threat Intelligence plays a vital role in building a proactive defence against an ever-changing threat landscape.

 

A $5 billion global market, TI blends cyber-security technology and human expertise to inform decision making and improve incident response. The Microsoft Threat Intelligence community, for example, comprises “more than 10,000 world-class experts, security researchers, analysts, and threat hunters analysing 78 trillion signals daily to discover threats”, according to the company.

 

Despite the important role it plays, TI can also be complex and challenging for cyber-security teams to implement. Indeed, it has been described by the likes of the NCSC and Forrester as an “elusive” concept and, according to recent industry research, is “stuck in silos”, with organisations “unable to fully tap into the potential of their threat intelligence due to disjointed teams and disparate data and technology.”

 

Improving legacy approaches

So, what’s the answer, and how can more organisations optimise their approach to TI so it fully delivers on its proven capabilities?

 

Given the inherent levels of complexity associated with TI monitoring, analysis and response, automation technologies are increasingly being used in place of legacy technologies and processes. The reasons behind this trend are varied, but among the most important is the sheer volume of TI information out there, which means security teams can easily become overwhelmed with information or struggle to prioritise urgent issues from background noise.

 

For instance, traditional processes generally aggregate TI data from various open-source security feeds, internal logs or other intelligence repositories. Bringing all this information together as a coherent piece of analysis is not only time-consuming but can be prone to mistakes. These issues are exacerbated when human resources are stretched or there are emerging security priorities to address urgently.

 

Automation, in contrast, can transform the levels of sophistication and speed that can be applied to TI, enabling security teams to replace their reliance on manual data assimilation. Modern Threat Intelligence Platforms (TIPs) bring efficiency, time savings and improved accuracy to the mix.

 

TIPs can also broaden the different types of data used in the threat intelligence process, including the integration of structured and unstructured data, which can then be delivered as standardised output.

 

This information can be more easily integrated into wider cyber-security infrastructure and applications, and security teams can then use the efficiencies to focus on risk priorities with more depth and accuracy. It’s an approach that also has a positive effect on the TI ecosystem, where people need quick access to emerging threats and where bottlenecks or inaccuracies can have a detrimental effect on threat awareness and mitigation.

 

Automate to collaborate

As a result, using automation to improve TI insight and cooperation is becoming essential. Research indicates that 70% of industry professionals think their organisations could do better in this regard, with nearly a fifth believing they could share a lot more.

 

Think of it this way: contemporary cyber-threats today are not isolated by network perimeters. The deepening interdependencies that help power modern digital economies mean that they rely on a common underlying critical infrastructure with multiple connected components. As a result, a seemingly isolated attack on a single organisation can be the starting point for a major incident. 

 

Part of the challenge here lies in the underutilisation of Information Sharing and Analysis Centres (ISACs), whose primary purpose is to allow an organisation to safely analyse and share sensitive information about cyber-security threats, risks and incidents. In fact, 53% of respondents said their organisations don’t use these resources, highlighting a significant gap in threat intelligence strategies. 

 

Even more concerning, over a quarter (28%) weren’t even aware of the existence of ISACs and their crucial role in managing cyber-risk across various industries.

 

Unsurprisingly, there are also significant human barriers to effective threat intelligence sharing and collaboration, with 51% of respondents saying people represent the main problem, followed by processes and technologies on 21% and 11% of respondents, respectively.

 

And the challenges don’t end there, with 49% reporting that they have difficulties in synthesising actionable insights from various security tools, such as threat intelligence platforms, SIEM systems, asset management and vulnerability management platforms.

 

Across these various issues, the common denominator for delivering improvement and, by definition, better security outcomes is the wider use of automation. The insight and intelligence are out there, but those organisations that harness advanced threat intelligence technologies to drive efficiencies and effectiveness will be much better placed to deliver proactive protection in the years ahead. 

 

---

 

Terrence Driscoll is Chief Information Security Officer at Cyware

 

Main image courtesy of iStockPhoto.com and BeeBright