Ron Gula is a tech investor (Gula Tech Adventures is an investor in ThreatBlockr), entrepreneur, and cybersecurity technology expert. We asked him 5 questions about his thoughts on threat intelligence.
Why and how is threat intelligence important for stopping today’s cyber threats?
When I worked on the Dragon intrusion detection system in the late 90s, there was a signature race. For every exploit that existed, the NIDS vendors were expected to write a detection rule. As attacks became more stealthy over the past two decades, the industry began to rely on indicators of compromise and hunting outliers. Certain types of threat intelligence provides massive amounts of indicators of compromise. By searching for and preventing access to this massive amount of command and control infrastructure discovered by other researchers, you can detect and prevent attackers from using it on your networks.
What advice would you give organizations when it comes to selecting threat intelligence sources?
If your organization is sophisticated and well funded, you should procure several sources of threat intelligence, produce your own, and share threat intelligence with your peers. If your organization does not have the resources to do this, you should investigate using a managed detection and response service or deploy a threat intelligence gateway
that can automatically block and deny the massive amount of command and control systems identified by the security industry.
What challenges do you see organizations facing when using threat intelligence?
There are two big challengers when it comes to working with threat intelligence that produces indicators of compromise (IOCs)…
1. First is coverage. You need to procure many feeds to get coverage of most “known” bad IOCs. If you rely on threat intel for detection and only have one source, you may be missing more than 90% of the known really bad sources that should be blocked.
2. Second is nomenclature and the schemas for the threat feeds…none of them are the same and it becomes really difficult for SOC teams to make rules for alerting, blocking, and reporting based on how intelligence was discovered and curated.
Fortunately, the industry has given rise to both threat intelligence gateways and threat intelligence platforms. A threat intelligence gateway like ThreatBlockr TIG can help organizations both work with multiple threat intelligence vendors as well as work with vendors who curate massive amounts of threat intel through a threat intelligence platform.
How important is automation when it comes to threat intelligence and security in general?
We don’t have enough cyber experts to overcome the sheer number of attacks and real compromises we face today. Blocking the correct amount of known threats at the perimeters and boundaries of our clouds and data centers in an automated manner does a few things. First, it dramatically lowers the number of events the rest of our cyber stack has to deal with. Anytime there is a real reduction in events through automation, the efficiency of the rest of your team and technology is increased. Second, assuming a real attack will defeat your sensing, the first you may get indication of an attack is when you have a connection blocked simple because it was a known hostile Internet resource.
While there’s been an increase in threat intelligence sharing, many organizations still remain reluctant to do so. What needs to happen to drive more sharing?
The best way to drive more sharing is to start with your own organization. If you can identify peers to your organization (who may even be competitors), it is mutually beneficial as an industry to share information about threats that target you.