There’s a lot of buzz about threat intelligence and threat hunting these days. But beyond the hype, what intelligence are organizations actually getting about cyber threats? How can you know true threat intelligence when you see it?
This widely misunderstood subject came up in a recent episode of The Virtual CISO Podcast, which features Danielle Russell, Director of Product Marketing Management for AT&T Cybersecurity, a threat intelligence leader. Host John Verry, Pivot Point’s CISO and Managing Partner, also has extensive experience with threat intelligence and other approaches to incident detection and response.
John asks Danielle for her definition of threat intelligence:
“Because even this idea of a threat intelligence feed, I think most people don’t really understand that. They’ll give you the “Uh-huh, uh-huh’ but I don’t think they get it. So… can you define what you’re actually doing when you talk about a threat intelligence feed and how that data might get used?”
Danielle replies that the first point to grasp is the difference between threat intelligence and threat data. Her explanation includes a terrific analogy, which she credits to her firm’s CTO.
“You might think of threat data as someone telling you, ‘Someone is out to kill you.’ That might be a piece of information … that’s not highly actionable but might make you a little paranoid. Might make you start looking around or looking over your shoulder for more information or clues,” Danielle explains.
“Threat intelligence would be something more like, ‘Someone is out to kill you. They will be coming for you at 4PM your time on a Friday afternoon. They will park a white van outside of your house. They’ll be carrying a pistol and they’ll be dressed in all black.’ That is threat intelligence,” clarifies Danielle.
She then relates that point to SIEM tool capabilities:
“You can imagine there’s a pretty big difference in quality and difference in how actionable that information is. I think that is the crux of having any kind of SIEM deployment. If you are evaluating, demoing, looking at a SIEM, if you can’t get to that answer, like, ‘Show me how I would use all of the context I’m getting… to immediately understand what is going on in this environment. How am I at risk? What has been affected?’ … That’s really the crux of being able to do good threat detection.”
Why is the difference between threat data and threat intelligence so important?
Because of the effort it would take your security resources (assuming you have some) to cut through potential noise and distill out the connection between threat data elements and what threat (if any) is actually looming or manifesting.
For example, a SIEM tool might report on a system in your environment that communicated with a known bad IP address. Threat intelligence might go a big step further, to leverage machine learning as well as human expertise to put that data point in the context of many others and pinpoint the actual tools, tactics and procedures (TTPs) that hackers are currently using.
Understanding conceptually what solid threat intelligence can look like, versus simply threat data, can thus put you a step ahead in evaluating SIEM tools.
This post is based on an episode of The Virtual CISO Podcast, featuring Danielle Russell. To hear the whole episode and check out the many others we have on tap, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.