Threat intelligence is data that security teams collect, process and analyze to prevent and remediate cyberattacks. Based on evidence—such as attack context, indicators and behaviors—of existing or emerging threats, threat intelligence helps security teams to make more effective, informed decisions that transform their security processes from reactive to proactive.
But collecting this information can be challenging, particularly when an organization’s security stack comprises solutions from numerous vendors, so security teams have to aggregate data from various sources. And turning threat intelligence into actionable insights is harder still.
To find out how organizations can improve their threat intelligence processes to better respond to cyberthreats, we spoke to Chris Jacob, Vice President of Threat Intelligence Engineering at ThreatQuotient. After serving in the US military, Jacob pursued a career in IT, working as a developer and architect before moving into the world of InfoSec, where he held leadership positions at Sourcefire (acquired by Cisco in 2013), Fidelis Cybersecurity and Webroot. He now leads ThreatQuotient’s global team of engineers to help businesses understand their threat intelligence challenges, providing them with actionable recommendations and product-driven solutions.
Founded in 2013, ThreatQuotient is a cybersecurity company that enables organizations of all sizes to better manage their threat intelligence, turning aggregated threat data into actions to defend against cyberattacks. Via their security operations platform, ThreatQuotient allows businesses to not only detect threats in their environments, but also track those threats and improve their incident response processes through triaging and automation.
Using Intelligence To Power Prevention And Response
Cyberthreats today are not only becoming more sophisticated, but also more prevalent. As products such as Malware-as-a-Service make cybercrime more accessible, security teams are having to deal with huge volumes of alerts across their environments. But this shouldn’t change their core practices, says Jacob. In fact, he suggests there are two key parts to remediating cyberthreats: prevention and response.
“Consider what we’re all going through at the moment with the pandemic. You have the preventative side, where we’re all wearing masks and social distancing—that’s what the security team does in making sure they’ve got the right technologies in place and the most up-to-date information to keep threats out.
“You also have the response: how you react when you’re hit. So again, in regard to the pandemic, you might self-quarantine to stop it from spreading. The same thing exists in the enterprise, where you have to deal with an attack once it’s gotten inside your environment.”
But organizations often find it difficult to respond efficiently and effectively to threats within their environment. And these include not only small businesses that are at the beginning of mapping out their security practices, but also those with established operations teams who are faced with an overload of alerts coming in from different data feeds.
“Some organizations with an established security operations center find themselves receiving 1,000 alerts a day,” explains Jacob, “but they can only get through 400 of them. So, they respond to whatever’s marked as highest priority, but it becomes like a hamster wheel that they can’t get off.”
This, according to Jacob, is where threat intelligence comes into play.
“Threat intelligence allows you to be predictive in your incident prevention and response,” he says. “The whole idea is that you’re identifying the malware before you’re infected; you know enough about it from your own research and intelligence feeds to be able to recognize it and know how it’s going to move.
“And this allows you to get one step ahead of the threat because those tactics and techniques aren’t going to change very often. It’s relatively trivial to recompile an executable and change a hash so that an antivirus software misses your attack. But the actual tactics and techniques that the malware and—ultimately—the attackers use is much harder to change, so they’re much slower to change.
“So, trying to understand those and being able to predict and ultimately eradicate the threat, is really where threat intelligence starts to come into play.”
Turning Intelligence Into Actionable Insights
A common challenge for organizations collecting threat intelligence data—particularly those aggregating it from different sources—is turning that data into an action they can perform. But as more industries are developing a need for this data, cybersecurity providers have created a solution to help them obtain it. These solutions are often referred to as threat intelligence platforms (TIPs), and are usually built into extended detection and response (XDR) solutions.
“A threat intelligence platform, which is where ThreatQuotient has come from, helps organizations to ingest all that data from all those feeds, deduplicate it, normalize it and pre-process it,” explains Jacob. “That’s the first half.
“The second half, and where our platform really extends nicely into the XDR story, is then pushing all that data to all of the different technologies that make up your security stack and, just as importantly, receiving information back from those technologies as to how useful that data was.
“This creates a sort of feedback loop in the cycle, as well as takes each of these disparate systems and enables them to communicate.”
Pushing threat intelligence data back out to the infrastructure that your organization has created is key to making those systems more efficient, says Jacob. Because of this, he recommends that security teams invest in a TIP or XDR solution that offers a wide range of in-built integrations, so that they can set up those communications more effectively.
Demonstrating The Value Of Threat Intelligence
Alongside providing the intelligence required to secure their organizations against cyberthreats, threat intelligence teams also need to be able to prove their value in a way that markets themselves to the rest of the company, says Jacob. While the cybersecurity industry is certainly growing, there remains a consistent battle between security practitioners and business executives regarding the importance of a robust cybersecurity infrastructure.
“The best piece of advice I can give to intel teams—whether they’re 10 years into this or just starting up—is that they need to keep in mind that most people outside of that team don’t know what they’re doing or how they’re doing it.
“Some industries have been very generous with funding their intel teams and I think a reckoning is coming when they’re going to say, ‘What exactly is it that you do here?’
“Intel teams deliver a lot of value, but they have to start looking at what they do as serving a customer; the customer being the organization and the product being intelligence. If they take on that product-centric, customer-centric approach to delivering threat intel, it’ll go a long way to showing other teams what they’re doing, and showing the C-Suite what their return on investment is.
“It’s going to become more and more critical in the next two years or so, as budgets start rolling back, for intel teams to start showing their value in a way that the rest of the organization can understand.”
Securing An Office With No Perimeter
As if the evolving threat landscape alone didn’t present enough of a challenge, security teams are also having to consider an evolving office environment when actioning their security processes. The hybrid working model has been around for years, but was catalyzed by the COVID-19 pandemic as organizations first had to provision their employees to work remotely, then began to welcome them back into the office.
While many of us will be glad to see the return of water-cooler chats and meetings that aren’t interrupted by someone unable to take themselves off mute, the hybrid return to the office poses a series of challenges for security teams. One of these challenges involves encouraging security best practices amongst workers who may need a refresher after two years working remotely.
It’s crucial, says Jacob, that in this somewhat turbulent period, security teams focus on setting up their policies in line with business objectives, and educate their users on why those policies are in place.
“As a security practitioner, you’re responsible for the security of a company. But that company’s responsibility is to its stakeholders and to producing revenue. So, as a security practitioner, you need to understand how the business produces that revenue, so that you can implement your policies without people circumventing them because they need to get their job done.
“You also need to train your users to understand why you’re putting these policies in place and asking them to do things a certain way.”
Jacob expects this educational element to continue to take a front seat as we see more people becoming concerned about their privacy online.
“Privacy is the death of security; the more privacy you achieve, the less security practitioners can help you. So as users move down the path of privacy, they’re taking on the onus of security themselves. And for the enterprise security team responsible for the company, it becomes more difficult to ensure that each user is staying safe and secure.
“So, setting up those policies and training users cannot be overstated.”
Thank you to Chris Jacob for taking part in this interview. You can find out more about ThreatQuotient and their data-driven security operations platform at their website and via their LinkedIn profile.