By Frédéric Saulet, Regional Director of Southern Europe. November 28, 2016
There are almost as many definitions of Threat Intelligence as there are security vendors!
In my view, Threat Intelligence is the capacity to identify the signs of compromise in an infrastructure that the organization must do something about. To do that, the logs in that infrastructure must be analysed so as to identify the faint signals that can indicate a potential attack.
In a Big Data environment, event and security data management by a SIEM can facilitate the detection of abnormal activity. Having logs for correlation and investigation is clearly fundamental for every organization. These logs supply data on everything that happens in a network, whether it’s tight knit or spread out; on workstations, servers and applications. Fraud, external attacks and errors can be discovered thanks to the analysis of events generated in the network and by the footprints they leave.
The sorting of this collected information is invaluable; you could say that it’s like finding a needle in a haystack. However, that supposes - and this is crucial - a contextual analysis of the collected data.
An attack is often effectively polymorphic, with actions on many levels or using decoys.
Here’s an example to illustrate the usefulness of Threat Intelligence:
A group of hackers is using a new method to attack the most widespread electronic messaging system in the world. This type of attack has never been used before and no safety measure to combat the situation is in place. Anti-virus, firewall and IDS systems are blind and don’t recognize the attack.
In this example, the hackers attack several targets. But via the use of SIEM, these attacks are captured, analysed and their methodology identified. This methodology is set down in a common language and distributed. This description can then be transmitted automatically and used to detect the faintest signs of the attack when it occurs.
Thanks to Threat Intelligence, the attacks have thus been captured, described and shared throughout the team – at the same time taking into account the context that’s essential to monitor the evolution of attacks from day to day.
LogPoint, for example, allows the integration of more than 100 data sources on threats, relying on Critical Stack or Emerging Threat among others.
Everything is normalized in a single language. Starting from this point, analysts can automate event interrogation, screening hundreds of thousands of indications of compromise to evaluate the data based on known attacks. The effectiveness of organizational infrastructure protection necessarily relies on a knowledge of the characteristic techniques of a threat, so as to identify and collect data on that attack methodology or other proof of compromise.
With LogPoint the sharing of this information can be at top speed, almost in real time. Obtaining the analysis of useful information that allow the countering of diverse threats is always a more complex challenge, taking into account the permanent evolution of risk and methods of attack.
That’s why Threat Intelligence is an aspect of cyber security that no-one in charge of a network can afford to ignore or leave aside. Its role in network defence is now proven, and the threat data collected has an indisputable value for organisations. In effect, they give decision-makers a reliable basis to help confirm the benefits and consequences of their decisions.
You are always welcome to get in touch, if you have any questions! Find your local LogPoint office here.
With LogPoint, you will discover a full enterprise SIEM solution.
LogPoint is EAL 3+ certified and the solution is tailored to solve the specific security management challenges of your business - whether the goal is compliance, forensics or operational insight.
And the best part..? We have the most predictable licensing model in the industry.