Threat Intelligence has become a rising buzzword across the cybersecurity
industry. Enterprises are establishing connections with external intelligence feeds, vendors have begun to add interoperability with such flows of information, and inform
ation sharing organizations are multiplying. How all of this leads to the actual application of this shared information for effective cyber defenses is the hottest topic among involved parties.
The overarching concept behind this trend is beyond dispute. Where organizations are able to know that there are risks and threats that impact them – and that these are right now being exploited by attackers – they are better armed to defend themselves. The return on investment of enterprise security budgets are improved by knowing where to best allocate funds, business cases for information and solution providers are sharper where they can tie these to real concerns, and national and global interests are served when nations and international communities have improved situational awareness.
But there are hurdles to be cleared before the value of threat intelligence can be realized. Information overload is already causing enterprises stress as they endeavor to make sense out of the firehose of available information. Indicators of compromise (IOCs) are available in huge quantities often to the point of being pointless. Deriving effective insight into the campaigns (current efforts of human groups behind attacks) and the tactics, techniques and procedures used by threat actors is of higher value than IOCs, but also harder to develop. The policies defining who shares what with whom are complex and as yet not mature and standardized.
To make matters even more challenging, all of these various feeds, tools, sharing organizations, people, and policies don’t reliably interoperate at the present time.
Unlike other periods where interoperability could be circumvented by a using single vendor architecture, this challenge intrinsically demands compatibility of technology and processes across industry and around the world. Virtual private network (VPN) adoption appeared at first to require such interoperability, but by and large enterprises managed to address their VPN needs by single-sourcing solutions. The last time that a similar need for complete compatibility was seen was in the early Internet days. If you aren’t completely compatible with TCP/IP, the underlying protocols that transport Internet information, you simply cannot function as a solution provider or enterprise in today’s world.
Many in the industry have recognized the need to demonstrate their ability to participate in the kind of end-to-end threat intelligence architectures that add value to effective enterprise defenses. Even the most dominant providers of technology, intelligence, and solutions understand that they will never own all parts of the threat intelligence ecosystem. Only by showing that they are able to play nicely with the competitors and all the other public and private players in the ecosystem will they be able to succeed in achieving their goals.
Webster University’s Cyberspace Research Institute (CRI) is performing a set of exercises to establish the compatibility necessary to realize the value of threat intelligence. Standards organizations like Organization for the Advancement of Structured Information Standards (OASIS) are beginning to coordinate their communities’ adherence to the necessary protocols. The focus is rapidly moving towards turning a cacophony of threat intelligence into an orchestra.
Within Webster CRI enterprises, vendors, and providers of intelligence have begun to share practical use cases of threat intelligence application. In 2016 there will be demonstrations of these use cases involving public and private threat intelligence sources, providers of analytic platforms, infrastructure vendors, and the enterprises they ultimately serve. Among the many possible use cases is an example that many enterprises would like to see: “integrate multiple intelligence sources using multiple analytic tools and multiple sharing organization to achieve near-real-time automated defense of an enterprise using products from multiple infrastructure vendors”.
The results of these and similar exercises will propagate throughout the industry over the next few years. As providers of technology and intelligence become better able to articulate exactly what threat intelligence value they bring to enterprises, a more ubiquitous adoption of threat intelligence will become possible.
Nobody needs to have the value of paying attention to their surroundings explained to them. Our parents did a good job of making that point before any of us left home. For the many participants in the threat intelligence market the time has come to demonstrate how they provide practical value to enterprises trying to pay attention to the cyber threats they face.