In the recent past, we have seen an alarming trend – attackers becoming faster innovators than the defenders. With increasing complexities around cybersecurity, the need for threat intelligence is becoming more apparent.
Ransomware is on the rise. With over 4,000 ransomware attacks occurring per day in 2016, it has now grown into a billion-dollar industry. As WannaCry and Petya have highlighted earlier this year, these kinds of cyberattacks are going nowhere, making it one of the top three malicious, most visible security incidents impacting every industry sector and society.
The right security measures must be put into place in order to ensure businesses, their employees, and customers are kept safe.
For enterprises, threat intelligence could be key in fighting the growth in this particularly invasive and demoralising cybersecurity threat.
Ray Kafity, vice president, Middle East, Turkey and Africa, Attivo Networks, says, “Organisations should always maintain strong prevention security controls.”
In addition, he says, it is also ideal to implement advanced social engineering awareness programmes that continuously update employees on new forms of threats and how to avoid falling prey to them. “However, as demonstrated by the number of ongoing breaches, this is no longer sufficient as attackers are sidestepping security measures.”
Effectively harnessing and utilising threat intelligence have vast potential in terms of helping organisations close detection gaps and mitigate risks. “A proactive approach to cyber security is a must and can protect organisations from future threats,” adds Kafity.
Hadi Jaafarawi, managing director, Qualys Middle East, shares the same opinion, highlighting that firms looking to avoid becoming victims of attacks like WannaCry should leverage threat intelligence solutions to get regular insights on their systems’ vulnerabilities.
“In doing so, security teams will be able to take control of the situation and validate, rate, and prioritise which flaws require urgent mitigation before they are exploited,” he explains. “Additionally, they can utilise threat feeds to display how many resources are impacted by each threat to drill down into the data for remediation. They can also use cloud-based dashboards that visualise their security posture.”
Cyber threat or threat intelligence aids in helping organisations develop their capabilities to recognise and react, based on indicators of attack and compromise scenarios, in a timely manner. It helps identify indicators of attacks as they progress, putting together the information around attacks with the existing knowledge about attack methods and processes.
John Shier, senior security advisor, Sophos, says that in order to fully protect an organisation from security threats such as WannaCry and NotPetya they should understand that threat intelligence is somewhat reactive. “Therefore, it would have limited value unless other mitigating factors had been properly set in place as well,” he explains. “As an example, protecting from WannaCry was as simple as applying a patch. With that done, knowledge of the kill switch domain would have added an extra layer of defence. However, that wouldn’t have helped if a modified version of the worm had been introduced into the environment by a rogue machine.”
As security increasingly becomes an important part of the boardroom agenda, CIOs and CISOs are becoming more proactive in investing in tools that will bring insights and help them adopt an offensive security posture.
However, they must first take the time to understand their organisation, their security posture, their important assets, and their ability to respond to an incident internally, says Warren Mercer, security researcher, Cisco Talos. “These are cost and risk/threat driven decisions, which the CIO/CISO must make based on information from their own firm. Technologies can only perform so much of this from an action point of view.”
With the number of remote workers increasing, enterprise networks becoming more interconnected, and network visibility shrinking end-users and their endpoints have become the growing focus of advanced attacks.
Mercer adds that apart from investing in technology they should also focus on hiring people with the right skill-sets who can complement the technology stacks put in place. “Once you fully understand your organisation you have a better chance at protecting it,” he says.
When investing in threat intelligence solutions, IT security leaders should keep three important aspects in mind – processes, procedures and technology, explains Nahim Fazal, head of Cyber Security Development, Blueliv.
“There should not be a single point of failure in any of these key building blocks of your threat intelligence programme,” he says “You should have a framework that can help identify which of these components you need to focus on more and which will need the most investment. These three key components are dependent on one another and any weakness in one area will bleed into another.”
Fazal further explains that the final piece of the jigsaw is having a threat intelligence platform that is not only going to deliver the information but can also convey it in such a manner that it can be immediately actionable, which is the key to reducing the window of opportunity for threats.
A challenge in harnessing the capabilities of security technologies is the lack of interoperability between these multiple tools. This makes information much less actionable because once it is received it should be manually fed and correlated across multiple devices.
“Automation is key in helping cut the workload of a stressed and perhaps over-stretched security team, says Laurence Pitt, security strategist EMEA, Juniper Networks. “Many actions performed daily are identical and repeated because they need to recur. Automation can take these repetitive actions and perform them perfectly every time, allowing security specialists to focus on improving strategies for security rather than just simply managing it.”
Threat intelligence has, of course, data at its core. However, the ever-expanding perimeter of organisations today makes identifying relevant information a challenge. A Ponemon Institute study revealed that 70 percent of security industry professionals believe threat intelligence is often too voluminous and/or complex to provide actionable insights.
“The sheer volume or information, and sorting out the relevant and correct information from that, is a big bottleneck when it comes to threat intelligence,” says Mercer. “There can be too much information for defenders to take on board and, unfortunately, that information can sometimes be inaccurate.”
To address this issue, experts agree that information sharing is key. The challenge today isn’t that there aren’t enough sources for threat intelligence, but that there is simply too much data being generated, and that includes far too much redundancy.
Information sharing of any kind is always useful when fighting threats. When done well it can force adversaries to continuously revise their tools, tactics and procedures.
Implementing threat intelligence solutions as well as sharing information gathered from it can provide organisations with vast insights on the numerous threats surrounding the IT and business environments. This, in turn, leads to the establishment of better policies and processes that can be used to strategically safeguard enterprises and help them focus on security issues that will have the greatest impact. Moreover, it will help ensure the firm’s resilience and ultimately contribute to its success.
