Threat intelligence plays a crucial role in effective cybersecurity. It provides relevant information to help organizations implement proactive defensive measures, and it gives IT security teams insight into how to recognize and respond to attacks that slip through traditional prevention security technologies. With the increased focus on managed detection and response (MDR), the role of cyber threat intelligence is even more essential.
Alert Logic Threat Intelligence
It’s a nebulous term, but what do we mean when we say, “threat intelligence?” According to Gartner, “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.” Put more simply, threat intelligence is cybersecurity professionals with expert training, knowledge, and skills, monitoring the threat landscape and conducting continuous research to gather information about emerging digital threats.
Cyber Threat Intelligence and MDR
The MDR Manifesto explains, “To have value, MDR must be continuously informed on the evolution of threats, it must maintain a consistently high level of visibility across all assets, and it must accurately identify attacks in progress to minimize the harm that can be caused.”
Threat intelligence is valuable for cybersecurity in any scenario, but it’s a particularly vital component of any managed detection and response solution. One of the cornerstones of effective intelligence is understanding exploitable vulnerabilities and recognizing cybersecurity attacks in progress. Continuous research performed by experienced security and vulnerability researchers, data scientists and security developers who know where to look provides important insight to enable prioritization of risk from those threats.
Another element of MDR—which is also essential for effective threat intelligence—is comprehensive visibility. Digital threat intelligence needs to work across the entire technology stack. Attacks are becoming more sophisticated and may involve multiple stages and exploits. To be successful, MDR requires threat intelligence that unifies detection across the technology stack to minimize the potential for attacker success and limit the impact of attacks that get through security defenses.
For Alert Logic, this stack is comprised of IDS, Vulnerability Scanner, Extended Endpoint Detection, Web Application Firewall and Log Analytics. This security stack needs to be kept updated individually and via correlations to drive the detections against a growing attack surface.
Threat Intelligence Wears Multiple Hats
At Alert Logic, threat intelligence plays an important role in enabling both the platform and the experts. Using threat intelligence based on industry data and expert analyst research, with machine learning based data analysis across thousands of customers’ attack surfaces provides Alert Logic with valuable insight that improves protection for all customers.
The cyber threat intelligence team wears multiple hats—dealing with product, research, and service simultaneously.
Any platform that is designed to identify cyber threats and detect security attacks must be designed to keep up with the expanding and new attack landscape. It needs to have the ability to respond to a new 0-day and be able to detect it successfully. Years of experience by threat intelligence researchers watching various kinds of attacks plays a not insignificant role in determining how the security architecture should be designed for the best threat detection results.
A Threat Intelligence team must be able to forensically dissect current vulnerabilities and be able to predict how attackers can leverage them. It’s in this way that threat intelligence analytics and research is able to stay a step ahead of the attackers.
Valuable cyber threat intelligence also arms the experts with valuable information they can use to be more vigilant against future security threats known to be propagating in the wild, and the insight they need to recognize and take appropriate actions to mitigate the impact of successful attacks.
The net result is more effective MDR—and cybersecurity—overall. With solid threat intelligence, you have an improved platform that is more capable of detecting and blocking threats, and more efficient and effective response.
Working with an MDR provider makes sense for most organizations. As you consider your options, make sure your MDR provider is able to demonstrate past performance in identifying new and complex attacks, and that they are able to describe the process through which their cyber threat intelligence and threat identification capabilities continually evolve.