EXPERT SPEAK
Alastair Paterson is the CEO and Co-Founder of Digital Shadows
Five tips on how to select threat intelligence
An ideal threat intelligence solution is a best fit of meeting multiple requirements , explains Alastair Paterson at Digital Shadows .
Traditional defenses have proven insufficient in protecting organisations from adversaries who are increasingly exploiting the digital shadows of organisations to launch targeted attacks . Now , more than ever , organisations are seeking to understand which actors pose a viable threat to their assets and business operations . As a result , many are taking the next step in their journey to strengthen their defenses by turning to cyber threat intelligence . But what exactly is CTI ?
There are many different definitions of CTI and , as a result , varying expectations of what CTI can do . One of the most straightforward definitions comes from the CBEST Threat Intelligence Framework paper that says , “ Information about threats and threat actors that provide relevant and sufficient understanding for mitigating the impact of a […] harmful event .”
The number of definitions nearly exceeds the number of new information security firms offering CTI . In fact , a new report by Forrester Research , Vendor Landscape : S & R Pros Turn to Cyberthreat Intelligence Providers for Help , includes 20 CTI vendors . This underscores the rising prominence of CTI as a security tool , as well as potential for confusion when selecting a vendor .
As a security and risk professional , how do you navigate your way through these
Now more than ever organisations are seeking to understand which actors pose a viable threat to their assets and business operations
murky waters and choose a CTI solution that will best meet your needs ? As with many areas in security , there is no silver bullet for CTI .
The following five tips can help you be judicious when assessing the market and your options .
Varied sources
1
Volume and variety of sources are among the most important characteristics of a threat intelligence provider . A provider that covers many sources , millions rather than thousands of unique domains , will reduce the chance of threats going unnoticed . Multilingual support across Web and Internet services , public and private forums and a range of media types , such as IRC chats , email and video , is also important . To get the best coverage you may likely need to work with multiple providers .
2
False alarms
Broad coverage must be balanced against the accuracy of alerts . Look for a provider that uses a combination of high volume CTI and curated and tailored CTI to increase the accuracy of the intelligence .
3
Receive alerts
Accuracy is important , but if the information is received too late it may be irrelevant or not actionable . Look for vendors who can provide immediate alerts and can access data from previous years which can provide valuable clues and early insights into potential events .
4 Integration No matter how advanced an offering may be no single vendor can satisfy all your needs . Any provider must be able to demonstrate the ability to use APIs to integrate with other solutions and with sharing communities such as FS ISAC and CISP . Support for standards such as OpenIOC and STIX is also important , as well as integration with threat intelligence platforms like ThreatConnect and ThreatQuotient .
5
Tailored service The most valuable intelligence is specific to your organisation and assets , not simply to your geography and sector . So as not to be overwhelming , there should be a mechanism in place to prioritise alerts . A provider that also offers formal feedback processes can use that information to further tailor the service to your needs .
CTI is critical for organisations that want to gain a comprehensive , tailored and relevant view of the potential threats and types of attackers that could be targeting them . But attackers never rest and neither can organisations in their quest for better threat protection and risk mitigation .
60 Issue 04 INTELLIGENT TECH CHANNELS