It sure is a difficult time to be a network defender. According to one industry report, as many as 85,000 malicious websites are launched daily, along with 8 million spam and phishing attacks; and, there are anywhere from 30-50 million malicious domains out there at any time. Scale seems to be working against us, not for us.
Even with the inclusion of security automation, we face parochialism in our tools. The automated feed of threat data that allows our firewalls and IPS/IDS systems to operate effectively is typically isolated from our endpoint detection and response systems. Indeed, while there may be some overlap between them, we often don’t know where one system may be missing a piece of threat intelligence that another has covered.
Threat intelligence gateways (TIGs) have emerged as one way to meet these challenges – but it’s important to build a solid business case for investing one.
Proliferating Threat Intelligence Sources
For years, the virus-scanning industry competed based upon who had the best inventory of viruses out there. Then in 2004, the beginnings of what is now VirusTotal were launched, which allowed malware prevention vendors to share signatures, malicious URLs and virus samples. The entire nature of how they competed changed.
Then, in early 2017, the Cyber Threat Alliance announced its formal incorporation as a non-profit. Like VirusTotal before, the companies that joined allowed each other access to their threat-intelligence data. This gives customers of these companies the assurance they are getting the best possible threat-intelligence data, regardless of which product set they choose. Further, it changes once again the business model for cyber-threat companies: Threat data is no longer necessarily a competitive advantage in the marketplace.
Meanwhile, Information Sharing and Analysis Centers (ISACs) are also a part of the full tableau of threat-intelligence sources, which can include commercial, open-source and government sources.
All of this is good news. However, with so many sources of threat intelligence, its necessary to consider how to scale these to complement your threat intel team. Blocking these threat actors may seem like an easy task, however, organizing intelligence feeds and integrating various security devices to do so is rather difficult, especially for the enterprise.
According to a 2018 study conducted by the Ponemon Institute, a full 67 percent of IT and security professionals spend more than 50 hours per week on threat investigations, instead of efficiently using security resources and sharing threat intelligence.
Enter the TIG
Gartner analysts in 2017 began writing about TIGs, a next-generation technology that serve as stand-alone appliances that aggregate a large number of threat-indicator feeds to block activity on the wire in real time. These bring together not just indicators of compromise (IoCs), but also contextual information like tactics, techniques and procedures (TTPs) and attack surface details.
In large organizations, TIGs can immensely alleviate data management and help operationalize threat intelligence by:
A TIG isn’t for every company however; it’s important to determine if there’s a business case given your other resources. To do this, many organizations use a framework, such as the Factor Analysis of Information Risk (FAIR) model, to determine the usefulness of a TIG within the context of one’s existing threat intelligence approaches:
The specifics for your organization will vary, but an approach like this is very helpful in determining whether a TIG can help you harness threat intelligence sources effectively in a way that makes business sense.
A Word on Purchase Justification
As with most purchases, it can be difficult to justify a new expense in a network already overcrowded with security technologies. One approach that can be helpful in justifying this, or other security investments, is to analyze the acquisition using a loss avoidance approach.
When investing in new security technologies, it is rare to be able to demonstrate a real return on investment (ROI), at least in the sense that ROI is treated in the financial services business. In other words, you won’t receive money in the corporate coffers as a result of increased security (with rare exceptions). Instead, there is a clear economic benefit in terms of “loss avoidance.” If we think about risk in terms of two factors (how often cyber-related losses occur and when they do, how much it will cost your organization), this can focus a business case on factors that can help non-IT decision makers make a better assessment of a solution’s importance.
Jack Freund is director of risk science at RiskLens, former director of cyber-risk at TIAA and co-author of the FAIR standard.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.