Threat intelligence feeds promise insight on the latest attacks but despite a vast choice of feeds, attacks are still being overlooked. Unfortunately, those vast choices are part of the problem. A daily chore for security operations center (SOC) analysts is to correlate information across the many disparate and uncoordinated threat feeds for which they have subscriptions. Given the number of threat feeds, it’s akin to finding a needle in a haystack - and when SOC analysts don’t, their organizations are left vulnerable.
There are other issues with relying on commercial and third party threat intel. For example, some threat feeds are not curated - i.e, no or limited validation has been performed on the intel. As a result, intrusion detection systems (IDS) that rely on these threat intelligence feeds generate a lot of noise. Given that alarm fatigue is a well-known problem plaguing security teams, organizations don’t need yet another generator of spurious alarms.
Attack techniques can change in the time between creation of third party intel and use by security teams, compromising its effectiveness. This is especially true for rapidly evolving threats like exploit kits. Yet organizations don’t have an effective way to vet and curate intel before putting it into production.
Commercial and third party threat intelligence also cannot account for the uniqueness of each customer’s network, which is a must for large organizations with diverse networks. For example, intel on a threat that is targeting a local government agency in California is of no value to the SOC responsible for protecting a multinational financial institution operating in Brazil and Portugal. SOC analysts must be able to suppress intelligence that is ineffective in their networks and also use threat intelligence that is uniquely available to their organizations. The inner workings of commercial and third party threat intel sources are typically invisible to security analysts as rules are written and tuned by vendors. This “black box” approach hampers security analysts, as they don’t know whether it’s a small tweak or a complete rewrite that will increase the efficacy of a poorly performing rule.
Security products that use threat intel must accommodate the uniqueness of each organization’s network in order to make security teams more effective against known threats. Given that the modern enterprise network extends beyond traditional on-premises environments to encompass public and private cloud and industrial environments, security products must also provide analysts with visibility into threat everywhere.
Bring Your Own Intelligence or BYOI is an approach to using threat intel which, when combined with a modern approach to intrusion detection that offers indefinite retention of full-packet forensics, provides more reliable detection and overcomes the above shortcomings that are typical of products that rely on commercial and third party threat feeds.
Join me on Wednesday, April 26 at 10AM Pacific / 1PM Eastern for our webinar "Eliminate One-Size-Fits-All Threat Intel with BYOI” to learn what BYOI is, why a modern approach to intrusion detection systems (IDS) is needed, how organizations can use their own IDS signatures, and how they are already benefiting by making better use of their security personnel.
Next blog post