Threat Intelligence as-a-Service: As good or better than D-I-Y?

By Avkash Kathiriya

[By Avkash Kathiriya, Senior Vice President, Research and Innovation at Cyware]

There was a time when managed security service providers (MSSPs) were perceived as expensive outsourced options to replace or bolster internal security teams with a one-size-fits-all approach. Fortunately, those days are long gone. Now they offer advanced sets of technologies backed up with in-depth expertise, giving access to sophisticated solutions that customers can’t, or don’t want to, manage themselves. Regarded as trusted, knowledgeable partners, increasingly clients have turned to them for advice to solve emerging security concerns.  Many are already benefiting from a wide range of options including firewalls, vulnerability patching, endpoint security, SIEM and identity management.

More recently MSSPs have started adding advanced detection and response capabilities to their portfolios, as well as threat intelligence as-a-service. Not a moment too soon for those facing a barrage of security alerts and trying to pinpoint which ones pose the greatest risk. According to Gartner, security and risk managers struggle to know what threats constitute genuine concerns for their organisation and lack an accurate view of their own threat landscape.

While threat intelligence holds key indicators to identify and pre-empt attacks, sifting through the bewildering array and volume of data to find them is beyond many security teams, especially in smaller organisations. To make matters worse, the data arrives in all kinds of formats from internal and external feeds, such as reports, articles, emails, pdfs and documents. Attempting to assimilate and turn this information into usable format is a mammoth task in itself.

GuidePoint Security’s senior director of digital forensics and incident response and threat intel, Tony Cook, agrees that managing threat intelligence can overwhelm small and medium-sized security teams, saying it typically requires a level of expertise and complex systems that are only practical for large enterprises with specialised threat intel analysts.

Replacing endless alerts with top priorities

Constantly raising their game to meet evolving requirements, MSSPs have been working to reduce the burden of endless security alerts and false positives, with the ambition of providing targeted and timely remediation advice.  Historically, this has required an ever-growing number of skilled analysts to work through copious volumes of data to assess threats before tailoring responses appropriate to specific environments.  Whereas, today’s modern threat intelligence platforms (TIPs) can eliminate much of this tedious, formerly manual, and error-prone task.

At the outset, aggregation is automatically handled by the TIP ingesting raw data from a myriad of sources. It doesn’t matter whether incoming data is already structured in a machine-readable format or unstructured like documents and texts, it all goes through a normalisation process.  Any duplicates, inconsistencies and redundancy are cleaned up, and each piece of threat information is given relevant attributes and context. The TIP then correlates the enriched data by piecing together what might seem like unconnected factors if viewed in isolation, but can be indicators of multi-faceted attacks. Based on this analysis, the most severe threats are prioritised for further investigation by security analysts. TIPs can also be configured to triage automated responses and remediation actions to suppress threats before they cause further harm.

Instead of trawling through a sea of data and wasting valuable time on false positives, security analysts have access to timely, actionable intelligence to forestall attacks, essential for MSSPs serving clients with diverse security needs.

Cook considers this advanced level of threat intelligence as-a-service will be welcomed enthusiastically by MSSPs, explaining that it will become a crucial part of helping customers detect and mitigate emerging threats and vulnerabilities that could otherwise disrupt or bring down their networks. He adds, “By identifying indicators of compromise before a full-scale attack can occur, businesses can minimise the likelihood of serious security incidents, and the associated financial, operational and reputational damage.”

Well-suited to a shared services model, a TIP also supports integration with a wide range of security tools, helping MSSPs streamline and orchestrate responses. This enables more efficient and consistent threat management processes across all clients, while still ensuring comprehensive protection can be customised to each one’s individual requirements and desired security posture.

Intelligence sharing offers valuable synergies

Cook sees the goal of threat intelligence as helping organisations make better and faster decisions, based on timely analysis and contextual data. He maintains that, “Making this technology available to a wider market, MSSPs can help businesses strengthen cybersecurity, safeguard their assets, and enhance their overall resilience when facing new threats.”

Industry-specific information sharing and analysis centres (ISACs) and other types of sharing hubs have also taken on the mantle of collating and distributing vital threat information to their members. Covering a wide range of industries including financial services, healthcare, energy, manufacturing, education, some communities are also introducing two-way communication so members can quickly feedback real world intelligence to help the wider group.

MSSPs can play their part here too by helping to supply the technical platforms for many of these communities that are keen to receive actionable threat intelligence, as well as contribute information to a collective security model that supports and protects each other.

Can we add, that similar to ISAC, MSSPs can also create their own customer-specific intel-sharing and collaboration community for sharing real-time threat data across MSSP customers using technology like advanced Threat Intel Exchange platform.


No posts to display