The acceleration toward a connected world is making systems and infrastructures more exposed and vulnerable than ever. However, investing in cybersecurity products is only one part of the equation.
To counter evolving cyber threats, enterprises must have a clear understanding of acceptable cybersecurity risk in relation to their infrastructure and critical business operations. They need to better understand their attackers and have a means of qualifying threats that may impact the business based on the intent, tools and techniques that bad actors will use.
“A targeted and consistent approach to security is now essential,” explains Laurent Celerier, CTO at Orange Cyberdefense, who recently joined from the French Ministry of Defense, where he was Head of French Cyber Command. “The world is getting much more complex, and you need to know exactly where the risks are and where to put your resources based on the intelligence you have.”
In general, cybercriminal rings are slick, sophisticated and well-funded operations, using highly targeted techniques. In-house security teams often find it difficult to work out which cyber threats are the most dangerous and prioritize them accordingly. Access to the right threat intelligence can help organizations vastly improve their detection and response capabilities.
Focusing on what really matters
One of threat intelligence’s fundamental benefits is that it allows organizations to identify the weak signals that may herald an attack from the noise in everyday business activities. “Today we define a strategy based on attacks that have happened. In the future, AI will be able to figure out when an attack is likely to happen by finding abnormal correlations in data and trigger an alert,” adds Celerier.
“Threat intelligence has moved beyond simple feeds, and providers are finding themselves providing platforms that help guide organizations, preventing attacks and managing threats over time by keeping historical context in place,” explains Rob Ayoub, Research Director, Security Products at IDC. He believes the market will see very positive growth over the next two years as more organizations understand the significance of threat intelligence in their overall security posture.
To collect information about past, current and impending risks outside the organization, organizations need to work with partners who specialize in collecting and correlating threat intelligence – and map what is happening inside and outside the organization. This intelligence is used to minimize risk, prevent possible threats or minimize the impact of an existing one.
“The next step is processing and exploiting data. For this, organizations need the capacity to deal with gargantuan amounts of data,” says Celerier. “At Orange Cyberdefense, for example, we can deal with more than 200,000 events per second. This is a substantial volume of data, and you need to be able to implement an industrial approach to manage such a huge data flow.”
Then comes analysis. Organizations need access to the right tools, including AI and machine learning, to analyze all this data clearly and identify the weak signals in day-to-day activities. This is paramount, as hackers are sophisticated and attempt to stay under the radar.
The final step is disseminating this intelligence across the organization. “Managing threat intelligence is difficult for many organizations, because they need the right mindset. If they don’t share the intelligence, for example, it will have little or no impact on the organization’s cybersecurity. Everyone in the organization needs to work collectively towards a cybersecurity culture,” adds Celerier.
The issue of false positives
False positive alerts are a key consideration. According to a Ponemon study on the cost of insecure endpoints, on average 55 percent of security alerts organizations receive are considered unreliable and inaccurate. Threat intelligence can help here, because it helps analysts understand alerts. If an IP address flashes up that has been used in an attack previously, the analyst knows there is a good chance the alert will be genuine.
But beyond this step, analysts still don’t know what impact their responses to an alert will make until it happens. Celerier says that in the future, AI will help analysts measure the impact of their decision to isolate part of a network, for example, by assessing the effect it could have on the business before the action is actually carried out.
One step ahead
Cyberattacks are only going to get bigger and hackers more sophisticated, it is therefore essential to adopt their mindset to glean intelligence. According to Celerier: “Our advantage is using the hacker’s DNA. You can’t be efficient against hackers if you are static and adopt a conventional way of thinking. Hackers are highly specialized, small, agile teams, and we need to be the same as them.
“Of course, we would all like there to be no threats out there – but there are, and they are not going away. The only way we can protect against them is starting with the threats – that way we know exactly what we are up against,” he concludes.