Since threat intelligence is a learning exercise, we understand that the perimeter is no longer a viable defensive strategy. Rather, it has become a strategy based on situational awareness of our operating environment. An often cited fact is that approximately more than 80 percent of all breaches originate from an external source, so the question now is how to react quicker to such attacks. As we collectively employ better defensive mousetraps to catch or blunt attackers — hopefully prior to losing our crown jewels — the opposition is rapidly sharing new methods and exploits to use against us.
If the Security Game Is Fast, Why Are We Losing the Footrace in Threat Intelligence?
There has been an explosion of threat intelligence and data at security teams’ fingertips. From the new data on malware and attack methods that are overwhelming security professionals and teams in volume and velocity to the multi-silo security products producing volumes of data, more personnel are required to operate defense measures. The challenge now is how to gather and consume this exploding defensive data into a coordinated response and protection plan across and between organizations. We are slowly bringing our resources to coordinate against a determined foe. Hence, the game is afoot in our new brand of information warfare.
So what do we do now to keep pace and take control of our security intelligence focus on situational awareness? Ideally, we are feeding threat intelligence from multiple sources into our security products. More importantly, we can automate our ingestion of this data into strategies from similar streams of digestible protections and warnings.
Currently, this is where many of our defenses falter. The outside stream of defensive information is not structured into a useful set of protocols and formats for our protections to readily consume and act upon, relegating many organizations to undertake this manual, labor-intensive process. When you are under fire, the return on this process is painfully slow. We tend to have trouble with quickly identifying an attack methodology and employing protections before our data is exfiltrated. We lose the next round when the attackers switch methods to keep our defense off-balance. Further, most organizations simply do not have the resources to deploy to manually keep up with this rate of chance — not to mention, it is not their core competency. We need to make this process fast and simple. Enter the world of machine-readable data formats and exchanges.
A Machine-Readable Exchange by Many Names
Should we go with IODEF, MILE, STIX or TAXII? Is this just more alphabet soup? Not really, but the key here is figuring out what is informative for defensive information-sharing and operations and whether it is slated universal adoption. We clearly have a need for this, and to that end, there are signs of the marketplace adopting these formats and protocols and leading contenders moving into the world of standards adoption. That is a good sign for all of us.
There is certainly some heavy lifting to do yet in making the machine-readable formats part of our threat intelligence fully ready for use across all industries and to facilitate a more direct exchange of information among organizations. We all need to pitch in to climb that mountain and gain the high ground against our collective adversaries. This goal is worth the effort as our internal and external constituents demand quicker responses so only a few will experience the pain of the attack and the rest will remain protected. After all, the attackers have been exchanging this type of data for years; it’s time we turned the tables back on them.
Image Source: iStock