Threat intelligence - the best form of defence?
Major organisations are subject to millions of 'security events' every week, but which ones should be ignored and which investigated? IBM argues that threat intelligence can help
Security guru Bruce Schneier was probably not the first person to observe that, whether in the virtual or the physical world, the challenge for defenders is always that much greater than for attackers.
After all, an attacker only needs to succeed once in order to breach an organisation or opposing army's defences. But defenders must make sure they offer up not one, single exploitable weak point and repel all attacks in order to avoid defeat.
That couldn't be more true of computer security, which is complicated by the fact that organisations must typically allow people access to their systems at various levels, while at the same time remaining constantly vigilant against attackers - who aren't exactly as clearly marked as an opposing army might be.
"Security is a battle of attack versus defence and right now on the internet attack is much easier than defence," says Schneier pointing, in particular, to so-called advanced persistent threats (APT), against which organisations are woefully ill-prepared. "We are terrible at defending against them."
Schneier says attackers launching APTs are usually highly skilled and determined, adding that there is often little companies can do to stop them. "An APT is a different sort of animal. In the security industry it's often about relative security. If your security is better than those around you the criminal will target your rival that is less secure," he says.
"Against an APT, though, that's not true so security has to be absolute. What matters is not if you are better than them [another company] but if you are better than the attacker," warns Schneier.
The trouble is, the average organisation will be experiencing so many "security events" that not every one of them can be investigated.
"The truth is, the average medium- to large-sized company experienced an average of more than 1.7 million security events a week in 2013," according to IBM Global Technology Services' Managed Security Services. That's 240,000 potential threats every single week picked up by the firewall and other corporate security devices.
IBM argues that that's where "threat intelligence" comes in. Given that following up and investigating potential threats is time consuming and labour intensive, it suggests that organisations need "correlation and analytics tools" in order to help identify the genuine threats amid all the noise, enabling staff to take action more quickly against the genuine threats.
More than that, it also enables organisations to take pre-emptive defensive action. "Threat intelligence transforms the technical analysis required to identify the symptoms of an attack - such as malware and security events - into an understanding of who the attackers are, and what their motives and capabilities may be. Armed with that information, you can proactively configure your infrastructure to help identify and prevent the types of attacks that are known to target your industry or the technologies deployed within your infrastructure," claims IBM.
It continues: "Taking advantage of threat intelligence to help prioritise your security controls can help you identify the latest attacks more quickly and increase the speed with which you're able to respond to an incident."
The kind of actionable information that organisations need to know include the answers to such questions as:
- Who is targeting my organisation?
- How do they operate?
- Do I have the right data sets to answer these questions?
- If so, how do I identify legitimate threats and eliminate the "noise" in all this data?
- What can we do to respond to these threats?
- Where is defence most effective?
It also helps to understand attackers' motivations: are they after intellectual property, banking or financial data or customer information?
And, furthermore, there are also many different services offering insight into what's going on "on the other side" among the hacker community around the world. IBM partners with CrowdStrike, for example, to provide identification of advanced threats and targeted attacks. This provides insight into attacker activity across multiple languages and cultures worldwide, as well as detailed technical analysis of threat tools, tactics and practices.
The hope is that such knowledge will mean power - and the ability to focus on real threats, rather than theoretical threats.