News & Media

Threat Intelligence, or making Threat data intelligent?

Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0Email this to someone

The global Threat Intelligence industry is growing fast – providers include:

  • Consultancy or service business that will look in detail at your business and tell you the threat exposure you, your staff or your management team faces (from open research or more involved scouring of the “dark web”).
  • Data aggregators and brokers who harvest threat and risk information from a variety of sources (sometimes even primary sources) to provide a feed of dangerous IP addresses (e.g. botnets), compromised malware domains, suspicious web or email addresses linked with drive-by downloads or phishing etc.
  • Product vendors who collect diagnostic information, often out of the back of desktop/domestic anti-virus software and end-point protection suites and then resell the lists of sources to larger organisations.
  • Security testing companies who will tailor and tweak their assessment approach based on available threat and operational information to prioritise their analysis to more relevant threats.
  • Threat Intelligence solution vendors who provide tools to ingest, analyse, correlate and link threat data with actual observed happenings within a network as well as using live activity and context to derive meaning in alerts and activity (this is a small category, but it is very much where we at Huntsman Security sit – see <<link to threat intelligence page>>>).

In general, it is quite easy to get hold of data – the Internet is full of it; downloading a list of possible past/present rogue IP addresses is only useful if it is relevant, current, if you can sensibly use it in the right places where you are trying to detect attacks and if the resulting diagnostic process can be confident in the source data accuracy.

Having a list of IP addresses of domestic or consumer PC’s that are infected with a common, widespread virus won’t help me defend against a targeted attack – it will just tell me if my considerable investments in corporate, desktop AV software has left some part of my network exposed in the same way as if I’d just bought an unpatched PC from a high street retailer.

Security teams need to think beyond that.  Having a number of data sets (internal and external, general and specific), being able to ascribe meaning to them, and leveraging this information at the right stages and at the right enforcement points – now that is Intelligent.

« Back to Huntsman News & Media Articles