Threat Intelligence: A New Frontier in Cybersecurity

In business as in warfare, it pays to know your enemy.

Patrick Donegan, Founder and Principal Analyst, HardenStance

June 6, 2017

4 Min Read
Threat Intelligence: A New Frontier in Cybersecurity

In military strategy and tactics surveillance, reconnaissance and intelligence have always played a critical role in developing a winning strategy. Knowing the enemy's historical as well as current capabilities and tactics, and gaining insight into how they might augment them next, has always been invaluable to generals and their political masters.

This is what I'll be talking about, among other things, with AT&T's Jason Miller in our upcoming webinar on June 22 webinar, Threat Intelligence: A New Frontier in Cybersecurity. It's not all that different for enterprise CISOs. In the case of large and medium enterprises, and even many smaller ones, an IT security posture can only be as good as the threat intelligence that feeds it. It is threat intelligence that determines what ports to open and close in the security infrastructure, what signatures to block, and which suspicious packets or packet sequences to look out for, and conduct further analysis on.

At a very high level, threat intelligence comprises four things:

  • threat data feeds that are drawn from IT infrastructures around the world;

    • the application of data science to those feeds to automate a response to low-level threats and allow concentrated forensic analysis on security incidents that are -- or appear to be -- most threatening.

    • a means of extrapolating exactly what pre-emptive adjustments are required to the enterprise's security posture in order to strengthen it against newly identified threats.

    • a means of rapidly importing security change recommendations arising in software into the enterprise's workflows.

      The art of bringing a high-value threat intelligence capability to market consists of the application of data science and human intervention to the raw threat feeds. It is this filtering and curation which enables the vast amount of threat data to be ignored or else responded to very quickly.

      It is then the same filtering and curation function that allows for the most suspicious data to be extracted from the main body of the threat data. The SecOps team's resources can then be concentrated on applying greater forensic effort around that data subset in an effort to understand the modus operandi of the most threatening adversaries -- and stay ahead of them.

      This is a primary area where threat intelligence providers differentiate themselves. Machine-learning algorithms leveraging standard and advanced statistical models -- and customized to cybersecurity goals -- have to be used to automatically process the many billions of security events that threat intelligence providers see.

      Big data algorithms are the core engine that drive the critical automation component of threat intelligence. Without this automation, large teams of cybersecurity professionals would have to paw over these vast data sets themselves, dedicating their time to working on security events which don't actually pose a significant threat.

      It is these key individuals in the security team that do the most important work in threat intelligence. They do it by leveraging the big data algorithms themselves, combining their outputs with human intelligence gathered on major threat actors, and then layering in their own assumptions. This enables threat intelligence analysts to correlate suspicious events with other sources and spot patterns that the big data engines themselves might not spot.

      The marked shortage of cybersecurity professionals relative to growing demand is well known. Last year the CEO of Symantec, Michael Brown, estimated that there will be a global shortfall of these key people amounting to 1.5 million by 2019. Given some of the skillsets required, as well as the highly rewarding nature of the role serving in the front line of cybersecurity, threat intelligence is an area where the competition for talent is at its fiercest.

      To be competitive, any threat intelligence provider needs to offer opportunities, challenges and compensation packages that are fit for individuals that comprise some of the cream of top cybersecurity talent. These individuals will always want to be working at the very cutting edge of monitoring, anticipating, foiling and disrupting criminal cyber adversaries -- and they will go wherever those opportunities are to be found.

      Organizations that can't offer that kind of stimulating environment lack the basic platform on which to build long-term competitiveness in the threat intelligence space. Those that can are very much better placed to succeed.

      This blog is sponsored by AT&T.

      — Patrick Donegan, Founder, HardenStance and Contributing Analyst, Heavy Reading

Read more about:


About the Author(s)

Patrick Donegan

Founder and Principal Analyst, HardenStance

Patrick is the Founder and Principal Analyst of HardenStance Ltd, a leading analyst firm providing best in class research, analysis and insight in telecom and IT security. A lot of Patrick's research is focused on best practise for telecom operators in securing their own networks and providing security services to end customers. In recent years his research has focused increasingly on the security opportunities and threats presented by the telecom sector's efforts to evolve to more software controlled networking including the evolution in network security requirements from 4G to 5G. Patrick has worked in the telecom sector for over 25 years, including in strategic planning roles for Motorola as well as for Nortel's mobile infrastructure business. Prior to forming HardenStance Ltd in January 2017, he worked for eleven years at Heavy Reading, the last three as Heavy Reading's Chief Analyst.

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like