The Problem With Your Threat Intelligence
It’s amazing how many organizations I see that have a threat feed or two and assume that they’re safe, sound, and on the leading edge of vulnerability management as a result. And to be clear, some of them are, because they’re using world-class practices and processes to make use of the data. But others? They’re not making use of their threat intelligence in a way that will ultimately enable them to stay ahead.
Here are the threat intelligence mistakes that I commonly see:
The “One and Done” Problem
A lot of companies use exploit availability information from a single source, and therefore assume that they can stop worrying about having additional threat information. There’s more bad guys, using different tactics, than a single threat feed alone can represent. This can lead into a similar problem, which I call “The Threat of the Day” an organization spends too much time and energy on a single, high-profile threat, without having the data or the processes to figure out which threat actually merits attention.
A world-class security organization will have threat intelligence coming from multiple sources, enough that they complement each other and provide a fuller picture of potential attacks.
The “More is Better” Problem
This is the polar opposite of the “One and Done” problem—having so many sources of threat intelligence that the organization becomes overwhelmed. Imagine sitting in a conference where there’s ten speakers at the microphone, all at once, and your job is to turn what they’re saying into actionable information. Not so easy, right?
And this leads me directly into the next problem…
The “No Team in Charge” Problem
Having all that threat information won’t help you if you don’t have the team in place to consume the threat intelligence and handle alerting, remediation and blocking. This problem particularly pertains to organizations that are just getting started with threat intelligence and don’t have their processes in place yet. As a result, they may see a lot of false positives from the feeds, or they just may get overwhelmed with the data.
Before an organization sets up threat feeds, it’s important to have people in charge, taking action on the data.
The “No Context” Problem
Most organizations know that they have to aggregate threat data, but they often fail to truly analyze the data. Data won’t help you unless it’s properly analyzed and understood with the specific vulnerabilities and weaknesses that the organization has. If a high-profile vulnerability such as “POODLE” is exposing a large portion of the Internet, it may not matter at all to your specific company, based on your own unique environment and assets.
It may be far more important for you to take action on some other exploit that’s rarely discussed or seen.
The “No Communication” Problem
It’s essential to have an easy way to understand and share the output of the operation with the entire company. Non-technical business executives should be able to see at a glance which group of assets have which weaknesses, and the team itself should get recognition for the work it does in protecting the company. No one likes to build dashboards and reports all day. Communicating your company’s security posture at all times—and how your team has improved it—is a paramount responsibility of the security professional.
You knew it was coming…
Risk I/O Can Help
Let me take a moment to discuss what Risk I/O does in regards to threat intelligence. Risk I/O is a way to improve and contextualize your vulnerability scanning by providing prioritization, visualizations, and—of course—integrated threat feeds. We actually provide seven threat feeds, and the data comes through in such a way that you’re enabled to prioritize your latest fixes, clearly communicate your risk posture, and understand your weaknesses across your asset groups.
Whether or not you use Risk I/O, of course, the point is to have not just threat feeds—but an actionable plan for making use of them, and ensuring that your company is sufficiently integrating and contextualizing what’s happening in the “real world” with what’s happening inside your own organization.