By Jason Landers, Senior Sales Engineer, Lastline
Modern threat actors are creative, persistent and funded. Yet, despite the severity of the threats, the majority of companies have been defending themselves in isolation.
Where have we seen examples of this in the past? Battlestar Galactica would have been a much shorter series if the Colonial Fleet tried to take on the Cylons by breaking up and having each ship go its own way to mount an independent defense.
The West would still be wild if American pioneer families didn’t band together with lawmakers and law enforcement to discourage violence and theft. Throughout history, real and imagined, a shared and common defense has always been superior to going it alone. Could it be that the next major evolution of cyber security is really a long overdue circling of the wagons?
Together, through emerging frameworks and new consortiums to share cyber threat intelligence, we can present a much stronger defense against attackers. When presented with the opportunity in those simple terms, every organization leaps at the thought of participating. However, the reality is most organizations find themselves ill-equipped to participate and quickly become frustrated.
In order to take advantage of threat data exchanges, an organization must be a qualified participant.
They must be able to do two fundamental things:
- Consume third-party threat intelligence that can be rapidly applied across their environment
- Generate new threat intelligence that can be readily shared in return. In other words, you can’t just flash your boots and pistol in the saloon and be on equal terms with your partners in a shared defense.
Like the pioneers and explorers of the past, the journey begins with preparation. Unfortunately, at the same time, there are competing priorities, established legacy processes and shortages of every resource. There is, however, a set of clear steps which you can use to ensure you are prepared to lead when the time comes:
- The first step is to create and/or assess your in-house intelligence curation capabilities. This means establishing internal processes as well as deploying technology in order to multiply the capabilities of what is typically a limited number of information security professionals.Your in-house intelligence must act as the central hub and brokerage for all of your threat data. If you leave the raw intelligence spread out into silos and islands of technologies, you won’t be prepared to quickly adapt it, share it, scale it, rate it or apply it as new threats emerge.Work toward a process of determining and evaluating how relevant any given piece of threat intelligence is to your organization. If you have a feed of threat indicators but you can’t immediately determine how applicable each indicator is to your environment, you won’t be able to prioritize or organize any hits gleaned from the data.
- Establish integration paths between your internal information security systems. Connect them to your central intelligence repository. This can include things such as integrating dynamic blacklisting of domains into your DNS servers, creating feedback loops between your perimeter security such as firewalls and Web proxy devices with your endpoint compliance and security agents, etc.
- As you identify bottlenecks and limitations that prevent some of your tools from participating in two-way intelligence curation, you will need to create alternate paths to reroute—both in terms of technology as well as process. Consider each bottleneck an opportunity to revisit old workflow and legacy processes. Ask yourself and your team if the benefits the tool provides are worth the risk of not participating in a shared intelligence ecosystem. While evaluating your current capabilities, consider:
- Your ability to generate brand new intelligence
- The ability to output intelligence in an open and shareable format
- The quality and efficacy (such that you are able to take clear and effective action as a result)
These wagon trains are forming—participants are sizing each other up and organizations that have built a robust capability to consume, apply and generate threat intelligence compatible with open standards stand to share an infosec defense multiplier greater than what has ever been possible before.
By positioning yourself to take advantage of today’s open standards, you are taking the first step toward ensuring you are not a follower left to muster your own defense. You are a leader among a group of equals who share strength in numbers.