By Nick McNulty on March 22, 2018
Threat intelligence was once a luxury, accessible only to large, well-funded organizations with large security teams. The process of collecting, curating, and producing threat intelligence data was simply too time-consuming and costly for smaller and medium-sized organizations. This is no longer the case, as machine-learning-enabled automation systems can ingest raw threat data and deliver curated, actionable threat intelligence into the hands of members at all levels of an organization. Modern threat intelligence is more accessible than it has ever been before, informing decisions from the security operations center (SOC) to the board room.
Focus on Analysis
As defined by Recorded Future’s Vice President of Intelligence and Strategy, Levi Gundert:
Threat intelligence is the output of analysis based on identification, collection, and enrichment of relevant data and information.
The collection and enrichment of threat data in a timely enough manner to be actionable is precisely the problem that many organizations have historically found to be cost-prohibitive — a perpetual entry barrier to the threat intelligence marketplace. With massive amounts of log data, netflow, and other forensic data emitting from all of our disparate systems on premise and in the cloud, there is more threat data in need of analysis than at any time in our history.
Machine-learning-driven automation has become the solution to this problem, as the amount of threat data necessary for meaningful intelligence has exceeded the human capacity to process it. As a point of reference, the Recorded Future solution processes billions of threat data points collected from criminal underground forums, paste sites, security researchers, IRC channels, code repositories, and other sources every day. Without automation, this amount of data could not be collected, curated, or processed for higher-level analysis. Quite simply, it would be useless and we’d be better off not collecting it. But by using automation systems that leverage supervised curation through ontologies, natural language processing (NLP) that collects data in foreign languages, and machine learning to increase fidelity as more data is ingested, meaningful threat intelligence flows can affordably (in terms of cost and human resources) be tapped at all levels of an organization.
As a result, high-fidelity threat intelligence has become more accessible despite these massive amounts of data points flowing in the wild today. With the tedious and labor-intensive collection and curation processes off-loaded to machines, precious security human resources can focus on the analysis of threat intelligence data to make more informed decisions across the ecosystem.
In the SOC, analysts can have access to emerging trends targeting their industry and likely on the way to their perimeter before they arrive. Threat intelligence can also be used to add context to alerts, empowering teams to triage efficiently and identify real threats faster. Vulnerability managers can quickly determine which common vulnerabilities and exposures (CVEs) are being actively exploited by criminals and need to be patched most urgently. In addition, senior security analysts can readily produce meaningful reporting for leadership, up to and including the board level, highlighting cyber risk exposure in the industry, the supply chain, and to the organization itself.
A Collaborative Environment
An important aspect of being able to use high-fidelity threat intelligence throughout an organization that should not be overlooked is how accessible intelligence can create and strengthen a collaborative environment within the organization. Properly curated and architected threat intelligence should not only support the sharing of indicators, findings, and ongoing investigations, but should also encourage and fuel this collaboration. This ensures that important discoveries by the SOC can be investigated by senior analysts and be reported to the most senior levels of management in a coherent and unified manner.
Quality, timely, and accessible threat intelligence also fosters an environment in which all security program team members are working together, cross-training, and strengthening the security program. With security talent at a premium — and no relief on that front in sight — organizations should consider training and promoting security talent from within a critical priority, and one that proper implementation of threat intelligence supports well.
To learn more about how Recorded Future can use automation to improve any threat intelligence program and inform the decisions of the security team throughout your organization, attend one of our online live demos, see what our existing customers are saying about us to Gartner, or request a personalized demo.