It sure is a difficult time to be a network defender. According to one industry report, as many as 85,000 malicious websites are launched daily, along with 8 million spam and phishing attacks; and, there are anywhere from 30-50 million malicious domains out there at any time. Scale seems to be working against us, not for us.
Even with the inclusion of security automation, we face parochialism in our tools. The automated feed of threat data that allows our firewalls and IPS/IDS systems to operate effectively is typically isolated from our endpoint detection and response systems. Indeed, while there may be some overlap between them, we often don’t know where one system may be missing a piece of threat intelligence that another has covered.
Threat intelligence gateways (TIGs) have emerged as one way to meet these challenges – but it’s important to build a solid business case for investing one.
Proliferating Threat Intelligence Sources
For years, the virus-scanning industry competed based upon who had the best inventory of viruses out there. Then in 2004, the beginnings of what is now VirusTotal were launched, which allowed malware prevention vendors to share signatures, malicious URLs and virus samples. The entire nature of how they competed changed.
Then, in early 2017, the Cyber Threat Alliance announced its formal incorporation as a non-profit. Like VirusTotal before, the companies that joined allowed each other access to their threat-intelligence data. This gives customers of these companies the assurance they are getting the best possible threat-intelligence data, regardless of which product set they choose. Further, it changes once again the business model for cyber-threat companies: Threat data is no longer necessarily a competitive advantage in the marketplace.
Meanwhile, Information Sharing and Analysis Centers (ISACs) are also a part of the full tableau of threat-intelligence sources, which can include commercial, open-source and government sources.
All of this is good news. However, with so many sources of threat intelligence, its necessary to consider how to scale these to complement your threat intel team. Blocking these threat actors may seem like an easy task, however, organizing intelligence feeds and integrating various security devices to do so is rather difficult, especially for the enterprise.
According to a 2018 study conducted by the Ponemon Institute, a full 67 percent of IT and security professionals spend more than 50 hours per week on threat investigations, instead of efficiently using security resources and sharing threat intelligence.
Enter the TIG
Gartner analysts in 2017 began writing about TIGs, a next-generation technology that serve as stand-alone appliances that aggregate a large number of threat-indicator feeds to block activity on the wire in real time. These bring together not just indicators of compromise (IoCs), but also contextual information like tactics, techniques and procedures (TTPs) and attack surface details.
In large organizations, TIGs can immensely alleviate data management and help operationalize threat intelligence by:
- Consuming intelligence from the source, rather than integrate different types of threat intelligence to the security infrastructure.
- Providing simple policy management that doesn’t consume network resources and cycles and are adherent to threat intelligence remediation rules.
- Assisting the enterprise at a low cost so they can allocate resources to other business operations.
A TIG isn’t for every company however; it’s important to determine if there’s a business case given your other resources. To do this, many organizations use a framework, such as the Factor Analysis of Information Risk (FAIR) model, to determine the usefulness of a TIG within the context of one’s existing threat intelligence approaches:
- Technology cost reduction – are you going to decommission another tool (or tools) in favor of this one? These are direct saves that can help a security department justify a new expenditure.
- Work effort/cost reduction – how many staff hours will be saved when this tool is purchased? This shouldn’t be a headcount reduction discussion; indeed you likely have far too much security work to do already. Instead, this should be focused on the reallocation of hours towards another, higher risk pool of work. You only have about 2,000 hours of work per year per person, so allocate them carefully.
- Loss Avoidance – this is where a FAIR analysis can provide the third leg of the cyber-business- case stool. Calculating a risk reduction in economic impact using dollars, provides for an even stronger business case. If you can show that you will catch an additional 5, 10, 50, or 100 threat events daily with this new tool, thereby stretching out losses from once every other year to once in five or ten years, you are showing a quantitative efficiency. Further, this could reduce risk (annualized loss exposure, in FAIR terms) by many hundreds of thousands of dollars.
The specifics for your organization will vary, but an approach like this is very helpful in determining whether a TIG can help you harness threat intelligence sources effectively in a way that makes business sense.
A Word on Purchase Justification
As with most purchases, it can be difficult to justify a new expense in a network already overcrowded with security technologies. One approach that can be helpful in justifying this, or other security investments, is to analyze the acquisition using a loss avoidance approach.
When investing in new security technologies, it is rare to be able to demonstrate a real return on investment (ROI), at least in the sense that ROI is treated in the financial services business. In other words, you won’t receive money in the corporate coffers as a result of increased security (with rare exceptions). Instead, there is a clear economic benefit in terms of “loss avoidance.” If we think about risk in terms of two factors (how often cyber-related losses occur and when they do, how much it will cost your organization), this can focus a business case on factors that can help non-IT decision makers make a better assessment of a solution’s importance.
Jack Freund is director of risk science at RiskLens, former director of cyber-risk at TIAA and co-author of the FAIR standard.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.