Industry Trends

How Machine Learning Enhances Threat Intelligence

By Derek Manky | October 08, 2019

Organizations need to revamp their cybersecurity approach to meet today’s threat environment. Nevertheless, many cybersecurity teams still rely on passive security devices on the network edge that disguise themselves as legitimate traffic can do nothing but identify historical threats and look for identical threats in the future. And while some vendors have added extra layers of intelligence to this type of threat detection, it is still the primary mode of protection relied upon by far too many organizations.

Today’s threats are far more sophisticated. They are designed to evade detection, hijack approved software, disguise themselves as legitimate traffic, and even disable network and security devices. Prevention, as well as detection and response, require active security solutions that can identify attack patterns, detect unusual behaviors, and uncover threats before they can cause harm. And to do that, they need effective and reliable threat intelligence.

What is Threat Intelligence?

Threat intelligence describes a dynamic system for collecting and analyzing information from previous cyberthreats. By using various tactics, techniques, and procedures, cybersecurity teams can use this historical data to prevent and mitigate future attacks on your network. Since many cyberthreats evolve from a “common ancestor,” a great threat intelligence strategy is essential to detecting and quashing threats before they harm your organization.

The Value of Using Multiple Cyberthreat Intelligence Sources

Nearly every security device today relies on some sort of external subscription feed that provides regular updates to signature sets, detection algorithms, and data on the latest threats. Without that, the value of a security tool would quickly diminish over time as threat actors refine and revise their strategies and tactics. The challenge, regardless of the sophistication of the security device itself, is that what organizations are really relying on is the expertise of the vendor’s security researchers and the completeness and accuracy of the data they provide as updates.

And far too often, that is exactly where their security fails. According to the Ponemon Institute’s 2018 Cost of Data Breach Report, the average dwell time of a network breach is 266 days, with the mean time to identify a data breach coming in at 197 days, and the average time required to contain that breach costing an additional 69 days. Most of this delay can be directly attributed to bad threat intelligence.

The value of threat intelligence depends on things like the scale of the data available to the vendor. How many sensors they have deployed, where they are deployed, and the kinds of data they collect are all critical factors. Likewise, how many security researchers are on the back end analyzing that data or conducting original research? What sorts of tools and algorithms do they use? If they collect large volumes of threat data – which they should – do they have access to things like artificial neural networks to quickly pinpoint and assess threats that might be missed by human analysts?

Smart security executives understand that they can’t rely solely on the data provided by their vendors to catch criminal activity. Which is why they also subscribe to external threat feeds to supplement the data they use for internal analysis. And because threat feeds are subject to the same limitations as those from the vendors, they often subscribe to more than one. Smart vendors do the same thing. It’s one of the reasons why Fortinet helped found the Cyber Threat Alliance (CTA) – to ensure that our own researchers have access to multiple data feeds to improve the accuracy of our threat intelligence services.

But in addition to gathering raw data, a parallel concern is how consumable is that data being provided? Can it be easily integrated into existing security tools, which is best, or does it need some sort of manipulation before it can be useful? If so, do you have the right tools in place?

Collecting and Correlating Your Threat Intelligence Data

Just as important as external data is the ability to collect, correlate, and analyze internal threat intelligence. The challenge here is that most legacy security devices in place operate in isolation. Sure, they can generate copious log files and may have elaborate reporting capabilities, but they don’t easily share or correlate their data with other security devices. If your NGFW doesn’t talk to your WAF or your Secure Email Gateway, you may be missing critical insights that only exist between those tools. Instead, most organizations end up hand correlating log files and reports between different tools, which means that subtle details that may indicate risk or a breach can be easily overlooked.

At a minimum, security tools must be able to natively collect, share, and correlate threat intelligence with each other. This enables rapid identification of issues, as well as the ability for those tools to initiate a coordinated response to an event. Further, those details and data need to be able to be shared and correlated across every segment of the distributed network, including SD-WAN connectionsSD-Branch networksmobile end-user and IoT devices, and every instance of your multi-cloud environment.

SIEM tools can also play a critical role in the gathering and correlation of threat intelligence from a variety of sources, as well as in the orchestration of effective threat response. Ultimately, all of these elements need to be fed up into a NOC/SOC environment where threat and network activity can be further correlated and analyzed.

How to Use Machine Learning and AI to Strengthen Threat Intelligence

But this is just the start. Virtually every element of the next generation of security requires generation, deep analysis, and correlation of threat intelligence. But today’s feed-based approaches are still rather primitive. Machine learning technologies, if provided with proper amounts of training and data, will be able to detect threat patterns and develop offensive and defensive playbooks. When combined with AI, security systems will not only be able to anticipate the next moves of an intruder in order to proactively and automatically shut them down, but also predict which threats are likely to target a system, and which attack vectors are likely to be used so a threat can be stopped before it even begins.

This requires two things. First, for responses to occur at the speed of today’s cyberattacks, data needs to not only be collected and analyzed locally, but autonomous decisions also need to be made locally. And second, that information needs to be shared back to the central system so it can be further assessed and initial responses refined and updated, and so alerts and responses can be orchestrated across the entire network.

Finally, and this cannot be overemphasized, if we want to truly get out ahead of the cybercriminals targeting legitimate businesses, we all need to participate in information sharing at all levels, from individual organizations to cross-vendor organizations like the Cyber Threat Alliance. As your threat intelligence becomes more refined, it can not only protect your network but protect the networks and sharpen the AI of others, as well. At a minimum, consider joining one of the industry or regional information sharing ISAC coalitions, for example, along with making sure that events are shared back to your security vendors so they can also refine their processes.

Preparing for a Security-Driven Networking Strategy

As we move further into network and business changes occurring due to ongoing digital transformation, reliable and actionable threat intelligence from a variety of sources will eventually need to be woven directly into the network itself. This security-driven network approach will allow security to automatically adapt and dynamically respond to the minute-by-minute changes happening in even the most fluid and highly distributed network environments. 

Preparing for this new, third generation of security starts today by building an interconnected and deeply integrated security fabric designed to work as a single, seamless whole rather than a loose collection of individual physical and virtual devices.

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.