Threat intelligence data (aka feeds) has become a buzzword. Let’s take a look at the significance of this emerging trend in security, and the ‘value’ of this technology.
Traditionally threat data was usually categorized as:
This data was often used by peripheral security solutions to either put a stop to interaction with these potentially harmful sources or else trigger an alert when such an interaction is made.
As the volume and variety of this threat data increased, it became difficult for organizations to sensibly manage their IT security solutions. Sourcing data lists also became difficult – and consuming that data that came in different forms and formats.
Some organizations identified the need of structured, organized, curated and usable data of this kind. Many of these came up with a new offering, mostly SaaS / Cloud based, which offered an easy access to such data. This new offering evolved and acquired a new term called Threat Data Intelligence / Feed.
Most of the vendors adopt a mutli-pronged approach to the collection and generation of threat data. The sources of threat data can be one of the following.
Vendors typically curate, validate and then prepare their proprietary threat bundles. They often use security experts to create value additions to such data, in terms of attaching attributes to such data, which can be used by their customers in prioritizing and responding to threats.
During the preparation of threat data and its bundles, vendors engage in:
The data bundles you receive contain curated, formatted & enriched information about relevant threat elements. Their efficacy depends on the readiness of your IT infra for data ingestion.
Threat data is usually consumed in multiple ways:
Yet, practical and thorough usage of threat data continues to be a challenge for most organization. For the most part, it is because of lack of preparation that is needed before a threat bundle is subscribed to. A check list of your own IT infra elements which are capable of consuming threat data along with details such as the formats they understand will help a long way in proper consumption of such threat data.
Threat intelligence data industry and its vendors have come up with a variety of standards for preparation, bundling, formatting and packaging of threat data.
These standards are intended to help in preparing, sharing, consuming and exchanging information. Following are some of the key standards one might want to look for, while considering subscription to threat intelligence data / feeds.
Threat intelligence data is usually an early access to intelligence. Early identification of threats gives an organization an ability to be preemptive, sometimes in near real time.
Usually there is a large gap between when a threat is identified, discovered and documented to the time by when an organization adopts protection against that specific threat. This gap is caused by the time taken in identification, research and then accommodating that threat element in IT security systems.
The idea of threat intelligence data / feed and its usage is to move the needle of responsiveness.
Despite threat intelligence being around for almost five to six years, we still see early adoption challenges in the industry. Most of the organizations still do not have a very clear approach to consumption of external, third party provided threat data in creating preemption of protection within their IT setup.
This is now a mature discipline, with standards established and systems capable of ingestion. Organizations have no real reason why threat intelligence is not a standard part of their security systems.