It's safe to say that the days of relying on signature-based security solutions as a network's primary defense against emerging threats is long behind us. If 2016 has shown us anything about what to expect in the years ahead, it's that cybercriminals are becoming increasingly sophisticated and cunning in their ability to bypass signature-based threat prevention systems. Now, many network and infrastructure security vendors are promoting their cyberthreat intelligence organizations and services as the next evolution in infrastructure security.
So what exactly is cyber threat intelligence (CTI), and more importantly, where can you integrate it in your network?
Generally speaking, threat intelligence groups are formed by infrastructure vendors, government entities or open source communities. The goal of these groups is to proactively identify emerging threats before they become a global menace. While it's nice to know that there are groups actively looking for the next big virus outbreak or ransomware scheme, threat intelligence does your organization no good unless you understand how to act on it. Since time is of the essence, it's critical that integration of the information from the threat intelligence organization to your security equipment be an automated process so threats are stopped in real time.
The delivery of threat intelligence information to your organization is going to depend largely on the type of network and infrastructure security equipment you use. For most enterprise-class networks, you will likely be using a CTI with close ties to your network and security vendor equipment. So for example, if you use FireEye security products, you will want to leverage FireEye's iSIGHT intelligence services. Alternatively, if you are largely a Cisco shop, then you will license the various network and security tools that take advantage of Cisco's Talos organization.
There are many infrastructure components that can leverage threat intelligence to make automated threat prevention decisions to protect the network. Next-generation firewalls, edge routers and intrusion prevention systems (IPS) are the most common. Once a threat is discovered, a CTI service can immediately contact next-gen firewalls and IPS hardware and push a fresh list of blacklisted IP addresses or signatures designed to preempt threats.
Threat intelligence can also be used on the front lines with web, email and DNS security appliances deployed on the internet edge or as a cloud service. Website reputation scores and malicious domain lists can be adjusted in real time to prevent users from accessing newly compromised websites. The same is true for malicious URLs and email attachments; an email security appliance is updated immediately based on the CTI group's relentless efforts to expose threats before they reach you.
Less common security tools such as malware sandboxes, identity access management systems, and data flow behavioral security solutions also can take advantage of global threat information. From a sandboxing perspective, new analysis techniques can be included in the malware detection process to block threats that haven’t been seen in the wild yet. In terms of identity and access management, when new threats are detected that have already connected to the internal network, the access management system goes to work by identifying compromised endpoints and immediately contains them from the rest of the network.
Finally, threat intelligence information can be pumped into data flow behavior tools to better detect threats that have already infiltrated the network, and significantly accelerate incident response to curtail further damage.
Keep in mind that threat intelligence isn't limited to protecting the traditional enterprise network. Most vendors allow for the deployment of CTI-capable appliances in a virtual manner within private and hybrid clouds. So not only can you protect your applications and data sitting behind your perimeter firewalls, you can also extend CTI’s reach far into the cloud. With the explosive growth in cloud computing, this is an important capability.
The role of a network security administrator is becoming more challenging every day. Between the sheer number of threats and security tools to manage, it stands to reason that they may require some outside help. With cyber threat intelligence organizations, enterprises gain the advantages of preemption and automation performed on a global scale in the ongoing battle against cybercriminals.