The Picture of Threat Intelligence

Issue link:

Contents of this Issue


Page 5 of 5

but not in the sense of understanding a user's network behavior. This other context problem involves an enterprise's own network elements. "What's more subversive, though, is that the system supply chain prevents organizations from completely understanding what threats can possibly apply to them," says Michael Figueroa, executive director, Advanced Cyber Security Center, an umbrella organization for various security concerns. "An organization may implement a new device in its infrastructure that solves a critical business need without having any visibility into the various software packages, utilities and libraries used by the manufacturer to build the device. Without that exposure, security teams have no ability to adequately defend [based on] the findings of their threat intelligence efforts." That lack of visibility can fuel a wide range of other problems. "Threat intelligence systems and techniques lack the context to quickly act on the indicators. Threats are seen from a technical perspective, one that may indicate a new rule to apply or system property to examine, rather than from an attack perspective," Figueroa says. "As such, the most sophisticated security operations are given limited understanding of how important one individual event may be against a steady stream of threats. That undermines their ability to prioritize and makes most threat intelligence activities useless." Figueroa makes the case that context- based defenses can be undermined by "the anomaly perspective, presuming that the attacker is not going to act like the user," whereas attackers often do a commendable job impersonating the identities that they steal. Sometimes, "attackers are actually [using] a VPN (virtual private network) to that [victim's] computer so that they can look like the user when they hijack [the user's] machine," he says. The typical security center manager response, Figueroa says, is "if we just had a little more data." Figueroa says that a slide he often uses in security presentations reads "'I now have enough data,' said never by a data scientist." "We're always seeking more data, but our ability to collect data far exceeds our ability to process it in any reasonable way," Figeuroa says. One CISO, Mike Sanchez of United Data Technologies, says many of the perspectives of his fellow CISOs are decidedly not helping the threat intelligence cause. "CIOS typically think in the terms of that red team stuff; that is the usual thinking. They are not having business-centered conversations. "We are having these problems because CISOs are looking at tech solutions, but they are not taking the time to check what the business requirements are," Sanchez says. "They don't spend enough time and energy identifying their true risk exposure in a quantifiable method and that affects all decisions downstream," he continues. "That is the problem, and if it wasn't the problem, we wouldn't have had all of these issues we are seeing today with Equifax and other data breaches which happened because sound business practices were not in place or ignored." n For more information about ebooks from SC Media, please contact Stephen Lawton, special projects editor, at stephen.lawton@ If your company is interested in sponsoring an ebook, please contact David Steifman, VP, publisher, at 646-638-6008, or via email at 6 29% Percentage of sites that had at least one mobile device running a cryptojacking script in November 2017 – Wandera survey | © 2018 Haymarket Media, Inc. Michael Figueroa, executive director, Advanced Cyber Security Center Threat intelligence

Articles in this issue

Links on this page

view archives of News - The Picture of Threat Intelligence