- Use Cases
In the first part of this series, “How To Understand Impact Through Asset Management and Threat Intelligence,” we discussed cyber asset intelligence and how it, combined with threat intelligence, serves to inform cyber asset management which, in turn, informs vulnerability and threat management.
In this second part, we will dive into what constitutes “intelligence” — asset or threat — and look at how to start building the foundations for an enterprise risk program.
The #1 challenge organizations have with both asset management and threat intelligence is getting to the right data. With the plethora of technology deployed in organizations’ IT ecosystems, plus the proliferation of external applications used by the business every day, most organizations, and thus IT, operations, and security teams, deal with (sometimes demoralizing) data overload.
Data overload can lead to mistakes, missed opportunities to follow up on a critical finding, and staff burnout. This is why identifying true intelligence — intelligence that has context, is relevant, and can be acted upon — is crucial to threat and risk management. Intelligence can help analysts pinpoint which assets or issues need prioritization and assist with swift remediation. Vulnerable and/or affected assets are always at the root of every threat, so having asset intelligence in addition to more general threat intelligence is imperative.
Many organizations are challenged by existing threat intelligence tools because they:
This is not to say that all threat intelligence sources are problematic. There are several excellent options in the market, but buyers must dig deep to identify the sources that can deliver actionable, timely, and contextual intelligence, which can be used to prioritize triage, shrink the attack surface, and minimize risk.
The same situation exists with vendors that promise data and information about assets. In particular, many IT and security tools vendors will say their solution starts with “visibility into everything communicating on your network.” However,
To ensure the right tools are in place and provide actual intelligence, organizations need to answer the following questions:
To be effective, intelligence solutions — threat, cyber asset, or otherwise — must include:
Identifying the right data is the first step in being able to effectively manage assets and asset risk and shrink the attack surface.
Baselines allow security and risk teams to understand what’s operationally normal. From assets present on the network to traffic patterns, access requests, and more, baselines establish what’s normal and expected. As a result, when something on the network is behaving outside the norm, analysts, operators, and admins can quickly identify the problem and react.
Correlation, once again, is a key element. To establish a baseline, organizations must incorporate historical data from technologies such as network security monitoring (e.g., a SIEM, traffic analysis, intrusion detection and prevention, firewalls), endpoint security, vulnerability scanners, cloud security, data security, web security, email security, identity and access management, and more. However, since all these tools provide their own set of data, it’s best to get a consolidated view with a normalized output.
But historical data from internal sources alone is not enough. Historical and forward-looking external intelligence, such as what can be gleaned from open source intelligence (OSINT) — dark web forums and chat rooms, public information about compromised accounts and vulnerabilities (CVE, HaveIBeenPwned, etc.) — as well as DNS data, digital risk protection data, etc. must be incorporated. It’s the combination of sources and the ability to establish both relevance and timeliness based on context that matters in the intelligence process. Further, cyber asset intelligence as an input to threat intelligence allows for the most effective cyber asset management and, in turn, the greatest threat and risk mitigation approach.