In cyber security, Intelligence is king. Intel about known-malicious files, intel about the reputation of this IP block or that specific IP address, or some other URL. Security vendors pride themselves on the size of their threat databases, and it’s used in just about every vendor presentation created in the past 10 years. Thats not to say this is a bad thing, that data is tremendously valuable to every organization with the means to leverage it. One of my favorite sayings is “He who has the most data, doesn’t always win, but they lose less often”
While all threat intel may be valuable, not all threat intelligence has the SAME value. Some feeds provide very basic information, which allow you to filter the background noise of the internet, script kiddies and the loud public botnets. These are publicly available online – such as abuse.ch. The next level of intel comes from a more specific security context, such as your firewall or IPS vendor. The events generated by a class of security solutions will be further focused by the way in which they are intended to be used. This is the level of threat intel that the vast majority of enterprises are using.
Some organizations – Banks as one example – are constantly targeted. As a defense there are a number of industry specific working groups that share threat intelligence amongst members who are often direct competitors. This intel can be specific malware, indicators of compromise, techniques, and more.
Putting all of these types of threat information together, and seasoning it with the in-house knowledge of what attacks you are seeing, what assets you actually have, and comparing that to a risk assessment will generate the most actionable form of threat intel, that which is specific to your company.
The threat intel at the top of the pyramid is highly specific to your organization, and less likely to be relevant to others. It is also the most likely to create a significant impact to the business.
Nearly all security products have adapted to the need to get the threat intel they generate out, whether via simple syslog or through an XML API. However fewer security solutions provide you with the ability to bring your own intel (BYOI) into the system in a way that it is actionable.
BYOI is something we take seriously at Baffin Bay Networks. We see that there is a need, particularly where our product sits – on the outside of your network – to be able to proactively ingest and take action on your threat intelligence.
Furthermore, taking the alerts we generate and allowing those to be fed back into your company Intel provides insights into what kind of threats you should be prepared for with your on-prem equipment. Cloud based security solutions will often try to function as ‘magic boxes’, no data in or out. “It just works!”. Yes, you can use our solutions without ever opening the custom threat feed screen or exporting a single log back to your SIEM, our automated intelligence and super cyber crime fighting robots will have your back. For those of you with high risk profiles and the desire to block ‘bad stuff’ as far away from your assets as possible, you are welcome to bring your own intelligence.
By: James Tucker, Director of System Engineering