Threat Intelligence: Knowledge is Power
Attacks against organizations are no longer just about getting PII information, they are about getting intellectual property and information that may be residing in unstructured data sources. These sources aren’t as easy to protect and don’t get the traditional types of protection.
In conducting threat intelligence, some organizations are leveraging reputation filtering sources either within existing intrusion prevention or SIEM systems. The big question, however, is how much confidence can be placed within the various sources. Security organizations must determine whether to use such sources solely as a reactive measure to help identify attacks that need more investigation versus using that information to proactively block the threats altogether.
Information sharing about threat factors is gaining momentum. The Information Sharing And Analysis Center (ISAC) is viewed as a reliable source of information. Participating organizations are supportive of the information feeds that they are able to receive.
Questions remain as to the role of Government in threat intelligence, the primary one being: What would the government have to do and not do in order for organizations to feel comfortable with government involvement in threat intelligence and active defense? The general consensus is that organizations need to have a big level of assurance that information submitted would be held in confidence and not be exposed later on down the road.
The perception is that the government is good at receiving threat information, but not good at getting that back into the hands of the private sector in a way that allows it to be acted on. The question looms as to whether the government can use the aggregated data they have at their disposal, identify patterns and trends and declassify the results so that it can be brought back into the private sector for use. The concern is that if the government were to get into this arena, that they would struggle with the volume and analysis of the data, just like private sector does.
SIEM technology is still being viewed as a potential way to solve the problem, but the consensus is that it is a piece of the solution but not the total picture. There is a general feeling that what is needed is technology that doesn’t exist today in order to be more proactive in predicting high risks. Security organizations are looking at using Business Intelligence tools and security data warehouses to tackle the huge volumes of data must be sifted through in order to get a handle on the risk posture and whether the threats they are seeing are likely to impact their organization.
The Advanced Cyber Security Center from Mitre was recommended as a collaborative, cross-sector research facility working to address the most critical and sophisticated cyber security challenges. (http://www.massinsight.com/initiatives/cyber_security_center/)