7 questions to ask before choosing a web-based threat intelligence feed.
It should come as no surprise that CISOs are under ever-increasing pressure, with many facing the prospect of losing their jobs if they cannot improve the strength of the enterprise security posture before breaches occur. And, occur they will. Consider these figures—recent studies report that web-based attacks are one of the most common types of digital attacks experienced by the average enterprise, costing $96,000 and requiring 27 days to resolve a single incident. Furthermore, there is a definite positive correlation between both the size of the organization and the cost of the cyber attack and additional correlation between the number of days taken to resolve an attack and the cost of the attack—the larger the organization or days required to remediate, the higher the cost.
Enter, Threat Intelligence
CISOs increasingly embrace threat intelligence as a means to enhance their digital security posture. In the past three years, organizations have significantly raised their spending on threat intelligence, allocating almost 10% of their IT security budget to it, and this number is expected to grow rapidly through 2018. And, this budget allocation appears to be well spent as organizations report enhanced detection of cyber attacks—catching an average 35 cyber attacks previously eluding traditional defenses.
Not all threat intel feeds are created equal
Sure, threat intelligence feeds are increasingly accepted and adopted as an essential element in the enterprise security strategy. In fact, 80 percent of breached companies wish they had invested in threat intelligence. But even as the use of third-party threat intelligence feeds increase, IT/security teams are realizing that not all threat intelligence feeds are created equal.
To begin with, there are several types of threat intelligence feeds based on web-based threats or email threats, and feeds that scan the dark web, among others. While not discounting the value of the various types of feeds, CISOs need to understand why web-based threat intelligence is the first among equals. Web-based malware target the enterprise network and the endpoints through day-to-day internet use by employees–internet critical to their day-to-day office functions. A truly valuable threat intelligence feed will help CISOs achieve their end goal of keeping their organization safe and blocking confirmed bad actors.
Checklist for Choosing the Right Threat Intelligence
Ask these seven questions to determine if the web-based threat intelligence feed(s) you choose are “certified organic” enough to provide tangible goodness and value to the health of your enterprise security posture:
1. Is the data original source?
Our previous post, Your Threat Intelligence Isn’t Working, discussed the pitfalls of using compiled third-party sources in a threat intel feed—more data isn’t necessarily good data! The time-consuming process of managing duplicates and false positives cripples the performance of most information security teams to the point that many alerts are ignored. Protect cherished resources—budget and time—by choosing an original source threat intelligence feed.
2. How is the data collected?
While original source threat intelligence minimizes false positives and duplicates, how the data is collected maximizes the tangible value of the feed. Web-based malware is typically delivered through mainstream, heavily-trafficked websites, either via ads or third-party code such as data management platforms, content management systems, customer identification engines, video players and more. Hence, the threat intelligence feed needs to source the data by replicating typical website visitors. This means continuously (24*7*365) scanning the digital ecosystem across multiple geography, browser, devices, operating system and consumer behavior, using REAL user profiles. Unless the engine that gathers the threat intelligence behaves like real internet users (who are the targets of web-based malware), the quality of the “internet threat” data is questionable at best.
3. Is the threat intelligence dynamic?
Threat intelligence should be a living (frequently updated), constantly active data source. The data in the threat intelligence feed needs to adapt to reflect the rapidly transforming malware landscape. The engine behind the feed should both track and detect malware in real-time, while also accounting for the changing patterns of attack. Even the algorithms driving the machine learning needs to be dynamic and continuously reviewed.
4. Does it prevent AND detect threats?
As the adage goes, an ounce of prevention is worth a pound of cure, and this holds true in the cyber security space. However, reliance on prevention isn’t practical or realistic. Prevention boils down to deployed policies, products, and processes which help curtail the odds of an attack based on known and confirmed threats. What about unknown or yet to be confirmed threats?
Threat hunting is becoming a crucial element in the security posture. It refers to the detection capabilities stemming from a combination of machine generated intel and human analysis to actively mine for suspicious threat vectors. Does your threat intelligence account for both indicators of compromise (IOC) and patterns of attack (POA)? The goal of threat hunting is to reduce the dwell time of threats and the intensity of potential damage. The threat intelligence feed should allow you to act on threats patterns before they become overt.
5. How is the data verified?
Just as the automation or machine learning behind the threat intelligence feed should simulate a real user for data collection, human intervention is important for data verification. Without the element of human analysis, data accuracy should be questioned. Otherwise, you run the risk of experiencing increased false positives.
6. Is the information actionable?
Malware is malware, and by its definition it is “bad”. You do not need an extensive payload analysis of threat data. You do, however, need information about the offending hosts and domains, so that compromised content can be blocked, either manually or via Threat Intelligence Platform (TIP). The granularity of the data can also save CISOs from the politics of whitelisting and blacklisting websites. As a bonus, real-time intelligence will enable you to unblock content when it is no longer compromised.
7. Does it offer network-level protection?
While CISOs still debate over an optimal endpoint security solution, web-based threats attack at the enterprise network. Frankly, stopping malware at the endpoint is too late! The threat intelligence you choose must offer network-level protection and deter web-based threats from propagating to endpoints in the first place.