In the first part of this series, “How To Understand Impact Through Asset Management and Threat Intelligence,” we discussed cyber asset intelligence and how it, combined with threat intelligence, serves to inform cyber asset management which, in turn, informs vulnerability and threat management.
In this second part, we will dive into what constitutes “intelligence” — asset or threat — and look at how to start building the foundations for an enterprise risk program.
The #1 challenge organizations have with both asset management and threat intelligence is getting to the right data. With the plethora of technology deployed in organizations’ IT ecosystems, plus the proliferation of external applications used by the business every day, most organizations, and thus IT, operations, and security teams, deal with (sometimes demoralizing) data overload.
What data do you need and how do you get it?
Data overload can lead to mistakes, missed opportunities to follow up on a critical finding, and staff burnout. This is why identifying true intelligence — intelligence that has context, is relevant, and can be acted upon — is crucial to threat and risk management. Intelligence can help analysts pinpoint which assets or issues need prioritization and assist with swift remediation. Vulnerable and/or affected assets are always at the root of every threat, so having asset intelligence in addition to more general threat intelligence is imperative.
Many organizations are challenged by existing threat intelligence tools because they:
- Proffer too much data in an effort be “comprehensive”
- Lack sufficient prioritization and operationalization
- Require too much manual intervention, leading to delays in enforcement action
This is not to say that all threat intelligence sources are problematic. There are several excellent options in the market, but buyers must dig deep to identify the sources that can deliver actionable, timely, and contextual intelligence, which can be used to prioritize triage, shrink the attack surface, and minimize risk.
The same situation exists with vendors that promise data and information about assets. In particular, many IT and security tools vendors will say their solution starts with “visibility into everything communicating on your network.” However,
- Agent-based tools, due to their deployment, result in blind spots
- Tools built for the cloud cannot identify on-premises assets
- Tools deployed at TAPS or ports will have similar blind spot issues
- Scanning tools will only find assets when they’re operational
- Tools focused on one layer, (e.g., network traffic analyzers) cannot see assets communicating at other layers of the OSi stack
- Many vendors lack the ability to correlate and normalize data and therefore don’t reduce “noise”
- Many tools lack the ability to effectively de-duplicate assets, again creating a “noise” problem
- “Data enrichment” for many tools is limited to one or two sources, meaning, context is limited, leading to suboptimal intelligence about the asset and/or threat surface
To ensure the right tools are in place and provide actual intelligence, organizations need to answer the following questions:
- What data sources do we need? How do we put them in place?
- How do we correlate, normalize, and make sense of data to turn it into intelligence?
To be effective, intelligence solutions — threat, cyber asset, or otherwise — must include:
- Data from multiple sources and source types
- Internal and external telemetry
- OSINT, SIGINT, HUMINT
- Data that is useful at various levels across the organization
- Strategic, tactical, technical, operational
- An advanced correlation and normalization engine
- Provides a consolidated and trustworthy point of view
- A prioritization engine
- Allows analysts/admins to assess business-relevant criticality
- The ability to query the data
- Allows analysts/admins to dig into details of the intelligence
The Importance of Building a Baseline
Identifying the right data is the first step in being able to effectively manage assets and asset risk and shrink the attack surface.
Why are baselines so important?
Baselines allow security and risk teams to understand what’s operationally normal. From assets present on the network to traffic patterns, access requests, and more, baselines establish what’s normal and expected. As a result, when something on the network is behaving outside the norm, analysts, operators, and admins can quickly identify the problem and react.
How do teams establish a baseline?
Correlation, once again, is a key element. To establish a baseline, organizations must incorporate historical data from technologies such as network security monitoring (e.g., a SIEM, traffic analysis, intrusion detection and prevention, firewalls), endpoint security, vulnerability scanners, cloud security, data security, web security, email security, identity and access management, and more. However, since all these tools provide their own set of data, it’s best to get a consolidated view with a normalized output.
But historical data from internal sources alone is not enough. Historical and forward-looking external intelligence, such as what can be gleaned from open source intelligence (OSINT) — dark web forums and chat rooms, public information about compromised accounts and vulnerabilities (CVE, HaveIBeenPwned, etc.) — as well as DNS data, digital risk protection data, etc. must be incorporated. It’s the combination of sources and the ability to establish both relevance and timeliness based on context that matters in the intelligence process. Further, cyber asset intelligence as an input to threat intelligence allows for the most effective cyber asset management and, in turn, the greatest threat and risk mitigation approach.
