How to make cyber security intelligence-driven for a more proactive cyber defence
By Nick Ismail
In this article, four experts explain how to make cyber security intelligence-driven and, in turn, create a more proactive cyber defence For to long, cyber security has been reactive — a panicked response to an inevitable breach.
But, cyber security best practice is changing. The industry is moving from a reactive to a proactive state, by making cyber security intelligence-driven.
Below, four experts explore how to make cyber security intelligence-driven and ensure that organisations are deploying a proactive cyber defence.
The intelligence-driven challenge
Jeff Williams, co-founder and CTO at Contrast Security, explains that “establishing a fast feedback loop from the operations environment back into development is critical”.
But, the challenge, he says, “is gathering threat intelligence that is instant and highly accurate. Historically, the scan and firewall “outside-in” approach generates an overwhelming amount of false positives that buries and devalues the real attack data.
“Generally, an instrumentation-based “inside-out” approach has more context and improves the signal-to-noise ratio significantly. Of course, simply gathering better data isn’t enough, it has to get to the people that need it through the tools they are already using. These integrations are key to an intelligence-driven security organisation.”
The security and operations centre
Alex Hinchliffe, threat intelligence analyst at Unit 42 (Palo Alto Networks) shares Williams’ view. There is a wealth of threat intelligence available, but the challenge is how to take these insights and apply them successfully.
As a solution, Hinchliffe suggests that “feeding intelligence into a security operations centre (SOC) can drive threat detection and response more aggressively. A SOC can empower analysts to do threat hunting and find more indications of a breach or discover how it has moved laterally and is compromising more hosts”.
But, he warns, “taking an intelligent-driven approach can mean analysts drown in threat data; an average enterprise can deal with 174,000 alerts per week.”
To cope with this impossible volume of data, defining a team’s threat analytic skills is key. “But, even more essential is how their work is augmented by automation that resolves routine alerts and prioritises more complex alerts for skilled human intervention,” he continues.
“Augmenting human threat intelligence can go further. There’s a growing library of cyber security playbooks on threats, and exploits that can handle threat detection and response automatically, so you don’t have humans having to do it all the time. With the scale and speed of threats, we must accept and welcome how the core of cyber security is going to use more threat intelligence automation to beat our adversaries.”
The right tools
Intelligence-driven cyber security allows organisations to be more proactive in their cyber defence, “but they need the right tools to examine the gathered intelligence,” according to professor Kevin Curran, senior IEEE member and professor of cyber security at Ulster University.
“The tools must be able to interact with data derived from software, hardware, SIEM logs, OSINT, end-points, IoT devices, networks, intrusion detection and so forth.”
Machine learning and data science
Curran continues that machine learning and data mining have a significant role in the success of security tools, “as humans cannot possibly cope with the large number of signals — adding complexity is the dynamic change of cyber threats, and the severe imbalanced classes of normal and anomalous behaviours”.
He adds: “As a result of the constantly evolving threat landscape, building static defence systems for discovered attacks is not enough to protect users. This is where intelligence-driven cybersecurity can assist greatly.
“Machine learning can discover the embedded and lurking cyber intrusions and cyber intrusion techniques, so that security teams can deploy more reliable infrastructure to counteract 21st century cyber-attacks. That said, these machine learning techniques must be adaptive and self-learning in complex and challenging network traffic, to preserve accuracy and keep a low false acceptance rate.”
From reactive to proactive
Making cyber security intelligence-driven will help security teams move from a reactive condition to one that is proactive, by raising awareness of the threats before an attack.
According to Andy Ash, head of Operations at Netacea, this process “should be as automated as possible to derive the maximum benefit”.
“A good example is the threat of bots that attack websites and applications. A real-time threat feed is the key to quickly identifying and stopping unwanted bot activity as they attempt to break into accounts or harvest intellectual property. Intelligence enables the business to block an attack from the start rather than having to react after the damage is done.”