Over the last few years, we’ve seen quite an uptick around a host of new cyberthreat intelligence (CTI) solutions promising to help combat the steady rise in ransomware attacks. If you’re not familiar with them, CTI solutions were designed to collect publicly available cyberthreat data from across the globe that they could package and sell to large enterprises desperate for a better way to defend against potential cyberattacks.
For their part, enterprises pay a monthly subscription to these intelligence feeds in the hopes that their internal security teams can analyze the information in the context of their own IT environments. A steady stream of intelligence data, combined with a team of skilled security analysts, would allow organizations to more effectively guard their networks from the recent surge in ransomware attacks, as well as other cyberthreats. To learn more, download our free eBook “Avoiding the Ransomware Trap”.
Intelligence Is Only as Good as Your Ability to Use It
The challenge for most businesses, however, is the effort and resources it takes to analyze the enormous volume of intelligence data effectively enough to stop potential threats before they grow into something bigger. With thousands of data sources and billions of indicators of compromise (IoCs) feeding these CTI solutions, the enterprise IT teams tasked with making use of it are simply overwhelmed by it. So much so that most firms only use it to educate themselves on the latest threats or to take corrective action after an incident occurs. And the prevailing wisdom is to subscribe to more than one CTI service, which doesn’t help the problem.
Choosing Between Zero Threats & Network PerformanceÂ
Another challenge businesses face is trying to match billions of IoCs with incoming network traffic in real-time can seriously drain network performance. Unlike the security teams who prefer to err on the side of caution and block or, at least, inspect suspicious traffic, their peers on the network team are less willing to do so for fear of degrading performance of the network for low-level threats, even though they might contribute to a breach. The give-and-take between these two teams and their conflicting goals routinely undermines the utility of a CTI solution.
Formal Definition of Cyber Threat Intelligence
Cyber threat intelligence (CTI) is what cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured tradecraft techniques by those with substantive expertise and access to all-source information. (Source: Center for Internet Security) |
Transitioning from Threat Intelligence to ThreatOps
It’s clear that while two generations of threat intelligence solutions unleashed an unprecedented view into the endless stream of cyberthreats, it has also exposed the scalability challenge of analyzing billions of threat indicators. What we need is a way to enable organizations to make use of all of the intelligence available to them, so they can adequately protect themselves. Asking overworked security teams to add this level of data inspection and analysis is, quite frankly, unfair.
Overcoming this fundamental scalability challenge means that we’re going to have to transition from threat intelligence to threat operations. We’re defining ThreatOps as the process of automatically shielding the organization against all known threats in real-time, while having experienced threat hunters available to analyze potential threats. Doing so will ensure that even the most innocuous threats are eliminated just as efficiently as the most dangerous ones.
By evolving from traditional threat intelligence to ThreatOps, we can overcome the limitations of traditional CTI solutions. Instead of overwhelming them with more data than they can handle, an effective ThreatOps solution will systematically shield against all known threats while also providing a better defense against evolving and zero-day threats.
ThreatOps is the process of operationalizing threat intelligence to shield against all known and emerging attacks. |
This is how we designed our CleanINTERNET solution. If you’re looking for a better way to use threat intelligence data from any CTI vendor, check us out.
We can show you how we’ve helped organizations like yours automatically shield 99% of globally-mapped threats identified by the threat intelligence community.