Passive security devices deployed at a network edge waiting for some previously identified threat to trigger a response was the primary mode of security for over a decade. And though that approach has undergone some updating in the interim, it is still the primary mode of protection relied upon by far too many organizations.
Today’s threats are far more sophisticated. They are designed to evade detection, hijack approved software, disguise themselves as legitimate traffic, and even disable network and security devices. Prevention, as well as detection and response, require active security solutions that can identify attack patterns, detect unusual behaviors, and uncover threats before they can cause harm. And to do that, they need effective and reliable threat intelligence.
External Threat Intelligence is Only as Good as its Source
Nearly every security device today relies on some sort of external subscription feed that provides regular updates to signature sets, detection algorithms, and data on the latest threats. Without that, the value of a security tool would quickly diminish over time as threat actors refine and revise their strategies and tactics. The challenge, regardless of the sophistication of the security device itself, is that what organizations are really relying on is the expertise of the vendor’s security researchers and the completeness and accuracy of the data they provide as updates.
And far too often, that is exactly where their security fails. According to the Ponemon Institute’s 2018 Cost of Data Breach Report, the average dwell time of a network breach is 266 days, with the mean time to identify a data breach coming in at 197 days, and the average time required to contain that breach costing an additional 69 days. Most of this delay can be directly attributed to bad threat intelligence.
The value of threat intelligence depends on things like the scale of the data available to the vendor. How many sensors they have deployed, where they are deployed, and the kinds of data they collect are all critical factors. Likewise, how many security researchers are on the back end analyzing that data or conducting original research? What sorts of tools and algorithms do they use? If they collect large volumes of data – which they should – do they have access to things like artificial neural networks to quickly pinpoint and assess threats that might be missed by human analysts?
Smart security executives understand that they can’t rely solely on the data provided by their vendors to catch criminal activity. Which is why they also subscribe to external threat feeds in order to supplement the data they use for internal analysis. And because threat feeds are subject to the same limitations as those from the vendors, they often subscribe to more than one. Smart vendors do the same thing. It’s one of the reasons why Fortinet helped found the Cyber Threat Alliance (CTA) – to ensure that our own researchers have access to multiple data feeds to improve the accuracy of our threat intelligence services.
But in addition to gathering raw data, a parallel concern is how consumable is that data being provided? Can it be easily integrated into existing security tools, which is best, or does it need some sort of manipulation before it can be useful? If so, do you have the right tools in place?
Collecting and Correlating Internal Threat Intelligence
Just as important as external data is the ability to collect, correlate, and analyze internal threat intelligence. The challenge here is that most legacy security devices in place operate in isolation. Sure, they can generate copious log files, and may have elaborate reporting capabilities, but they don’t easily share or correlate their data with other security devices. If your NGFW doesn’t talk to your WAF or your Secure Email Gateway, you may be missing critical insights that only exist between those tools. Instead, most organizations end up hand correlating log files and reports between different tools, which means that subtle details that may indicate a risk or a breach can be easily overlooked.
At a minimum, security tools needs to be able to natively collect, share, and correlate threat intelligence with each other. This enables rapid identification of issues, as well as the ability for those tools to initiate a coordinated response to an event. Further, those details and data need to be able to be shared and correlated across every segment of the distributed network, including SD-WAN connections, SD-Branch networks, mobile enduser and IoT devices, and every instance of your multi-cloud environment.
SIEM tools can also play a critical role in the gathering and correlating of threat intelligence from a variety of sources, as well as in the orchestrating of an effective threat response. Ultimately, all of these elements need to be able to be fed up into a NOC/SOC environment where threat and network activity can be further correlated and analyzed.
Threat Intelligence Lies at the Core of all Machine Learning and AI
But this is just the start. Virtually every element of the next generation of security requires generation, deep analysis, and correlation of threat intelligence. But today’s feed-based systems are still rather primitive. Machine learning systems, if provided with proper amounts of training and data, will be able to detect threat patterns and develop offensive and defensive playbooks. When combined with AI, security systems will not only be able to anticipate the next moves of an intruder in order to proactively and automatically shut them down, but also predict which threats are likely to target a system, and which threat vectors are likely to be used so an attack can be stopped before it even begins.
This requires two things. First, for responses to occur at the speed of today’s attacks, data needs to not only be collected and analyzed locally, but autonomous decisions also need to be made locally. And second, that information needs to be shared back to the central system so it can be further assessed and initial responses refined and updated, and so alerts and responses can be orchestrated across the entire network.
Information Sharing is Essential
Finally, and this cannot be overemphasized, if we want to truly get out ahead of the cybercriminals targeting legitimate businesses, we all need to participate in information sharing at all levels, from individual organizations to cross-vendor organizations like the Cyber Threat Alliance. As your threat intelligence becomes more refined, it can not only protect your network, but protect the networks and sharpen the AI of others as well. At a minimum, consider joining one of the industry or regional information sharing ISAC coalitions, for example, along with making sure that events are shared back to your security vendors so they can refine their processes as well.
Preparing for a Security-Driven Networking Strategy
As we move further into network and business changes occurring due to ongoing digital transformation, reliable and actionable threat intelligence from a variety of sources will eventually need to be woven directly into the network itself. This security-driven network approach will allow security to automatically adapt and dynamically respond to the minute-by-minute changes happening in even the most fluid and highly distributed network environments. Preparing for this new, third generation of security starts today by building and interconnected and deeply integrated security fabric designed to work as a single, seamless whole rather than a loose collection of individual physical and virtual devices.
Learn more about how FortiGuard Labs provides unmatched security and intelligence services using integrated AI systems. Find out about the FortiGuard Security Services portfolio and sign up for our weekly FortiGuard Threat Brief.