In this post, I want to talk about Cyber Threat Intelligence (CTI), which has been drawing quite a lot of attention in the security world lately. Let’s first take a look at how Gartner defines CTI:
Evidence-based knowledge, including context, mechanisms, indicators, implications and
actionable advice about an existing or emerging menace or hazard to assets that can be used to
inform decisions regarding the subject’s response to that menace or hazard.
I think what above description says is “let’s make sure to differentiate information from intelligence”. And this is where most of us getting confused. Some commercial tools claim that that they provide us “intelligence”, but most of it happens to be nothing more than a raw data that we have to process and make sense of. Below you will find couple differences between information and intelligence, picture from http://www.isightpartners.com/
CTI is quite new to the security industry and security companies are coming up with better solutions every day. Even though we are all agree that there is far more that we have to do. The problem has to do with eliminating “noise” from information and making it meaningful. There is too much noise that we have to deal with and that is making security companies job more challenging for sure.
CTI is one of the most important tool that companies can use to be proactive against cyber threats. SANS’ Survey shows that %75 percent of respondents finds CTI to be important to security and %76 percent of them are already gathering information from information security community. %55 is using a SIEM tool for CTI. SIEM is a great resource, however it can not be effective just by itself. If we are talking about an environment in which, all security tools are integrated and providing info to each other to some extent then we can say that there is internal cyber threat intelligence and SIEM could be very useful in this case.
Another infographic from SANS shows that only %34 have a dedicated team to CTI. Even though this number is not where it needs to be. I believe it will eventually go up as most of the companies are either planning or in the process of training their own CTI team.
Next, we will be talking about Threat Exchange Protocols and OSINT, which is aimed towards having a unified threat exchange system and being able to produce actionable intelligence.