A threat intelligence is a fairly new
concept still evolving as product / service where the concept is to
gather raw data about existing or emerging threats and threat actors from
several sources, and then analyzes and filters that data to produce usable
information in the form of management reports and data feeds for automated security
control systems. Its primary purpose is to help organizations understand
the risks of and better protect against major threats specifically zero-day
threats. We can tune the service to deal with advanced persistent
threats and exploits, especially those most
likely to affect their specific environments.
Learning about relevant threats as
soon as possible gives organizations the best chance to proactively block
security holes and take other actions to prevent data losses, breaches or
system failures.
Threat intelligence service models
Threat intelligence service
companies like ITS, we are relative newcomers to this section of security
industry, so there are still a lot of differences among the types of services
each vendor delivers.
Some such services simply provide data feeds that
have been cleansed of most false positives. The most common for-a-fee services
provide aggregated and correlated data feeds (usually two or more), as well as
customized alerts and warnings specific to a customer's risk landscape. Another
type of threat intelligence service handles data aggregation
and correlation; incorporates information automatically into security devices (firewalls,
security information and event management, etc.); and
provides industry-specific threat assessments and security consulting.
Many types of threat intelligence platforms are
sold on a subscription basis, usually at two or three capability levels, and is
delivered via a cloud platform. We at India Training Services offer managed
services for delivery across on-premises systems. This comprises of training
and a solution installed on cloud platform for the enterprise as one Threat
Management solution.
Threat intelligence platforms can dramatically
improve the efficiency of security staff in proactively blocking security
incidents, because subscription costs tend to run moderately high to very
expensive, and because of the equipment needed for on-premises deployment,
threat intelligence platforms are currently geared mainly toward larger
midmarket organizations and enterprises. As the cloud continues to move down
market, however, threat intelligence tools are bound to do likewise.
The history of threat intelligence
Threat intelligence solutions or platforms came
into being mainly because of the plethora of data available, whether generated
internally or acquired from external feeds, on current and emerging
IT security threats. It takes considerable time, effort and expertise to
sift through the data and transform it into information that's pertinent to an
organization, however.
Security companies, such as Symantec,
that make it their business to track threats and provide frequent updates to
their antivirus products, have maintained global threat databases for years,
populated from software agents running on millions of client computers and
other devices. Such data, along with feeds from other sources, is the
foundation for the information provided by developed threat intelligence tools.
Understanding threat intelligence service data
Data from various threat intelligence sources
differs in quality and structure, and must be validated. Validating data
involves human and machine analysis for processing, sorting and interpreting.
Apparent threats are also correlated against the
entire pool of threat data to identify patterns that indicate suspicious or
malicious activity, and are also linked to technical indicators for
categorization purposes. Finally, the data is converted into contextual
information that provides insights about the tactics and behavior patterns of
emerging or advanced threats and threat actors.
In the end, the threat information that's usable
and actionable must be accurate, timely, relevant to the customer, align with
the customer's security strategies and be easily incorporated into existing
security systems.
Characteristic features of threat intelligence solutions
Now that we've understood the purposes and
benefits of threat intelligence, let's look at the most common features found
in these kinds of services.
- Data feeds: Many types of data feeds are available through threat intelligence platforms. Examples include IP addresses, malicious domains/URLs, phishing URLs, malware hashes and many more. A vendor's threat intelligence feeds should draw data from its own global database, as well as from open source data, information from industry groups and so on, to produce a pool of data that is both broad and deep.
- Alerts and reports: Most services provide real-time alerts, along with daily, weekly, monthly and quarterly threat reports. Intelligence may include information about specific types of malware, emerging threats, and threat actors and their motives.
Security analysts or IT security staff members
are needed to manage data feed information. The data is either incorporated into
proprietary equipment (typically from the same vendor that provides the feed),
or the information may be available in standard file formats, such as XML,
CSV, STIX or JSON, for use in
a variety of security management tools and platforms.
Depending on the level of information in the data
feeds, staff might need specialized or specific training from the vendor.
Some companies offer managed security services
that offload most of the administrative burden associated with a proactive
security approach. A managed service may include experts that provide threat
intelligence reports, monitor an organization's assets 24/7 and provide threat mitigation and incident response.
The cost of threat intelligence platforms varies
as much as the services themselves. Data feeds alone can cost thousands of
dollars per month, and related expenses include the costs of maintaining a 24/7
security operations center staffed with technicians and analysts. By way of
comparison, managed security services are typically tens of thousands of
dollars per month, easily running into six or seven figures per year for larger
environments.
As with most things in business, the least
expensive services require more human time and effort on the customer side.
Because threat intelligence
services vary widely, a key challenge in selecting such a service is
knowing what the organization needs on what is the most critical information to
maintain, how the information will be distributed / used and having the right
staff in place to use that service appropriately.
There a large number of threat intelligence
services out there, and they all deliver and collect data about emerging
threats in different ways. Some are better at providing detailed global threat
reports, while others are capable of drilling down and delivering reports to
customers that are highly industry- or (even) company-specific. In addition,
there are some services that better serve an organization with existing defense
equipment, while others provide threat intelligence that's easily integrated
into an organization's existing security controls -- no matter the equipment in
place.
We deliver a range of training courses carefully
designed to help people and organizations protect themselves against crippling data
attacks. We can tailor a specific training module to meet your needs, or you
can contact me at ravindrapande@gmail.com.
Also we have pre-developed modules on Threat Intelligence
planning
·
Developer Security Training
·
QA Security Test Testing Training
·
Mobile Penetration Testing Training
·
Wireless Penetration Testing Training
·
Security Awareness Training
·
Web Application Penetration Testing Training
·
Infrastructure Penetration Testing Training
Visit us at www.indiatrainingservices.com
