Threat intelligence is the new buzzword, and many organizations with serious security budgets find themselves gravitating toward acquiring one or several such subscriptions in efforts to understand the threat landscape. However, operationalizing these new and voluminous sources of information in the context of one's organization and environment seems to be the emerging challenge. (Also see: 4 steps Toward Advancing Your Threat Intelligence Program)
"The biggest mistake I see organizations making is that everyone looks outwards for threat intelligence, without looking inwards first," says Scott Crane Director, Product Management at Arbor Networks. "The greatest source of intelligence [relevant to your organizations], comes from what you already have in your environment - that is taking what you have from your logs and threat events, and understanding what has happened to you."
Coming to operationalizing threat intelligence, Crane feels that people don't fully understand what threat intelligence feeds are. Every vendor out there has some offering today and not all those offerings are the same. AV vendors for instance, push forward their AV signatures as threat intelligence - and they are a form of threat intelligence, he says. But there are only a few niche players that offer a proper threat intelligence service, he believes.
"To properly operationalize threat intelligence, you need to look at how you are going to consume it. Some customers have subscribed to 10-12 feeds, and it takes a while to work out what you can get out of these," he says. "You would find in such scenarios that there could be up to a 50 percent overlap in the data - and that's not cost effective." (Also read: Threat Intelligence in Right Context)
One really needs to work out what one wants to get out of the data, he says. The challenges that most people have today are finding the right sources of information, working out how you can bring them to bear on the organization's challenges, and the making that happen. (also liste: How to Consume Threat Intelligence)
In this exclusive audio interview with ISMG (player link below image), Crane speaks about threat feeds and the challenges in understanding, contextualizing and operationalizing them. He also shares insight on:
- The latest in threat intelligence analytics;
- Research on some of the biggest sources of data on traffic and attack trends;
- DDoS challenges in Asia, and some recommendations to mitigate them.
Crane is the Director of Product Management (Big Data) at Arbor Networks and participates in the enablement of its real time global threat intelligence services. He was the CEO of Packetloop, a cloud-based big data security analytics and analysis platform before its acquisition by Arbor Networks in 2013. Crane has extensive experience in perimeter security architecture and Implementation, having spent the majority of his 20-year IT and security career designing and implementing Banking perimeters in Australia and Asia.