Recently at a SANS conference, it was said that the threat intelligence platform functions as a quarterback for your operations. Such a threat intelligence platform would be calling all the commands and leading the pack.
There was some additional chatter around how incident response platforms and threat intelligence platforms are coming up with two separate products. We don’t feel that should be the case. Instead, we think that the pursuance of actually understanding the security of a business will provide a single and comprehensive product division.
A football team with two quarterbacks wouldn’t work, so two different platforms that take the reins for handling your response activities and threat intelligence is viable.
What’s an Intelligence Platform?
This kind of platforms allows personnel in the company to handle processes regarding the security-relevant information in which they have a vested interest. Additional personnel systems can be incorporated on top of the exact information as part of a simultaneous or a separate strategy.
The platform needs to have the capacity to support the cooperation of all the data and stakeholders relevant. All of this should be done in a way where everything can work coherently as a group.
Platform customization is crucial as every institution will possess distinct data personalization requirements with processes for analysis, aggregation and action.
Aggregation – From Intelligence to Feeds
Accumulating information from one or more feeds isn’t enough by itself. Rather, you have to concentrate on processing your personal data and go on to overlay what the rest of the group has on top. When this kind of understanding is missing, you don’t really know what’s actually vital to your enterprise.
There’s a bunch feed emphasis occurring right now in the marketplace. What quantity of feeds do you manage and what kinds? Do you have the ability to support unstructured and structured data?
Analysis – Where Rubber Meets Road
As a central element of an intelligence platform, this aspect needs to make as much of the process automatic that’s technically feasible. Doing so means the platform has to be structured with data management at the forefront and automation cannot be considered after the fact.
Many leverage the Diamond Model in order to use intrusion analysis as the cornerstone for making clear sense of a data structure. That means this isn’t a data structure. It lets each consumer extend their datasets to fulfill their own direct requirements. It’s like a robust and built-in method that affords the platform the capacity to make sense of the data structure.
User-defined systems for signature (i.e. YARA, snort, OpenIOC, BRO, CybOX, clamAV, Suricata, etc.) approval, creation and installation.
Distinct context watch lists
The means of building customized feeds of threat indicators to search for and integrate them into a range of SIEMs or additional products depending on typical exploits, threats or other spaces of concern.
For threat information to be threat intelligence, it needs to be pertinent. In the climate of network security, it means this should be relevant to the infiltrations that your institution encounters.