Industry Trends

Q&A: Threat Intelligence and the Threat Landscape

By John Welton | September 29, 2016

 Providing holistic, actionable security intelligence across the entire IT infrastructure is critical for the future of cybersecurity. Fortinet’s Matti Blecher offers his perspective here.

Can you give us a glimpse into the threat landscape from a threat intelligence point of view? What are customers facing today?

One of the biggest security challenges organizations face is being able to see enough of the network to identify today’s most advanced, multi-vector threats. Ideally, you need to be able to see across the distributed network, including cloud deployments and devices from multiple network and security vendors. You then need to correlate detected local activity with global threat intelligence and expected behaviors, and coordinate a response across the entire portfolio of installed security solutions. And because these tools don’t have a common management or orchestration console, most of this correlation has to be done by hand.

This becomes increasingly challenging as networks continue to expand beyond the perimeter and embrace increasing numbers of devices and applications. And as the network expands, the attack surface naturally expands with it. At the same time, new threats are targeting this distributed network architecture. Mobility, IoT, virtualization, big data, and the cloud aren’t only transforming businesses. They are being specifically targeted, which is a game changer for security as well. For example, it is estimated that by 2020 over 25% of attacks on enterprises will involve IoT.

What does this mean on a day-to-day basis for security professionals?

Unfortunately, enterprises continue to struggle with limited defensive resources, a growing security skills shortage, and the proliferation of security tools that operate in isolation. Security teams monitor an average of 14 separate security consoles to try and manage, assess, and secure the expanding array of devices and technologies on their networks. Many times, they have to compare log files, hand correlate data, and manually change policies between devices in order to address threats, which means that many threats go undetected, and response times are too slow for attacks that operate at machine speeds.

How do you handle the overwhelming volume of multiple threat data feeds?

First, you need to identify the explicit purpose of an individual threat feed, how it will be used, and how it will move the security program forward before deciding to subscribe to it. This action will help avoid the “All You Can Eat” problem, which typically results in threat data overload. The same principle used at a buffet is applicable here: eat only what you want or need, rather than every buffet menu item (threat data feed) even though it’s included.

Next, you need to define the feeds with the most value to the overall security health of your organization. This is different for each environment, and requires some operational knowledge for added context. For example, knowing you plan on running a marathon the following day while standing at the buffet line will likely cause you to load up on carbs rather than veggies. In this instance, carbs are more valuable to you than the veggies, but that’s not always the case.

In the same way, not all threat feeds are created equal. Feeds that align to earlier phases of the Kill Chain (recon, weaponization, and delivery) are generally more valuable than those that inform later phases (e.g. action on objectives) for early detection.

The two most important points to remember with threat data feeds are:

  1. Start small - use open source feeds to test your preparedness for consuming threat data feeds, but be careful not to operationalize these as often times they are not validated or quality feeds.
  2. Utilize automation - employ automation scripts to help with integration into your SOC function. This will greatly reduce the manual effort typically required to extract meaningful insights from threat data feeds.

How do you handle conflicting threat intelligence? For example, when you receive a threat feed from one source or provider that lists a specific artifact (i.e. IP, domain, etc.) as malicious, and another source lists the same artifact as non-malicious. How do you handle that?

The best practice is to treat all artifacts as malicious until your internal team completes the validation and verification process. You should also automate the validation process to the extent possible, and defer to manual validation for artifacts with the most volume or greatest impact as they are discovered in the validation process. Next, assign resources to validate, or wait before integrating it into your SIEM or Threat Intelligence Platform (TIP). However, if you find the artifact is or has interacted with one of your critical assets, then block it, treat it as malicious, and take action regardless of the conflict. In the high-risk security world, it is usually better to be safe than sorry.

What solutions does Fortinet offer?

Fortinet’s Cyber Threat Assessment Program has been designed to look deep into a company’s network traffic - across the entire distributed environment - searching for indicators of compromise. It also provides organizations with a blueprint on how to reduce risk, while at the same time making their network more efficient.  In addition, Fortinet earlier this year announced the Fortinet Security Fabric, which integrates the Fortinet security portfolio, as well as third-party solutions, into an integrated and open security architecture. The Fortinet Security Fabric allows security devices to share threat intelligence and coordinate responses anywhere across the distributed network, from IoT, across the network, and out to the Cloud.