PODCAST: The quest for relevant, actionable threat intelligence

By Byron V. Acohido

In the war on cyber crime, access to rich stores of threat intelligence has never really been the problem.

Quasi-government entities, like the United States Computer Emergency and Readiness Team (US-CERT,) and industry sharing groups, like the Information Sharing and Analysis Centers (ISACS,) supply a rich baseline of threat data.

Related video: Why the NIST framework is vital to baseline security

Meanwhile, cybersecurity companies like FireEye, Symantec, CrowdStrike, Palo Alto Networks, Dell SecureWorks, Kaspersky Lab and countless others routinely share some of their hard won intel publicly, for the greater good, while keeping some intel close — for primary use by their paying customers.

In 2013 a couple of buddies working as security analysts at organization deep within the U.S. military complex got frustrated by their inability to truly leverage the deluge of threat intel in an efficient way. So the two analysts, Ryan Trost and Wayne Chiang, launched ThreatQuotient.

ThreatQuotient itself gathers no primary intelligence of its own. Instead, Trost and Chiang developed what they refer to as an “open and extensible threat intelligence platform” that can be customized to digest threat intel from a variety of sources.

Relevancy is key

This platform, dubbed ThreatQ,  gets tuned to deliver “operational threat intelligence that is relevant to a company’s specific environment,” Leon Ward, Threat Quotient’s vice president of product management, tells me.

According to Ward, the run of innovative hacks that began with the WannaCry ransonmware worm, continued with the Petya and NotPetya wiper malware, and most recently appears to be extending to the unfolding Bad Rabbit epidemic affirms efficacy of his company’s approach.

Ward and Acohido

“It’s all about determining how a threat is relevant to your particular organization and then updating your defenses and operations to react to it,” Ward says. “There are hundreds of different sources of good threat intel, you can’t use a human to go and read through it all, there’s just too much of it.”

“So the threat intelligence platform that we built allows people to actually do it with automation, to understand which adversaries are targeting you and push out the right types of protections in your environment, driven by that knowledge of the threats that could be relevant to you.”

Navigating wisely

Companies trying to figure out how to navigate the torrent of threat intel often take one of two paths, told me.  “They either go out and acquire some threat intelligence, some threat data, and then they say, ‘Okay, now I’ve got it; how do I use it?’ Or you take perhaps the more mature approach of saying. ‘What data do I need to have, based on how I want to use it?’ ”

Ward, obviously, recommends the latter approach. He says it requires “really thinking through what a threat intelligent program should look like for your organization . . before going out and buying some data.”

“If your threat intelligence program j0ust ends up creating more detection events inside your SIEM, or your log managment tools, then, essentially, you’ve done it wrong; that’s not the way you want to be,” he says. “You want to decrease the analysts’ burden, enable better focus on the threats that are relevant to your organization — and optimize your time.”

For a deeper dive on these notions, please listen to the accompanying podcast.

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone