Life is what you make it.
We’ve all heard our parents' drill that played out line, but as we all too often realize, sometimes our parents are correct. Our worldview colors everything we do in our daily lives. Why should our work be any different? When it comes to Threat Intelligence (TI), understanding the worldview of the data is crucial.
Not all TI data is the same. Over the past decade, we’ve seen impressive things done with data, from identifying nation-state threats to unveiling the latest malware signatures. One area that I would often run into, especially from the executive level, was where all this came from. Was this all nefarious dark web activity that emerged simply to make life annoying for us? Answers that weren’t quickly addressed by the intelligence I was receiving.
Most of the TI data I was receiving was based solely on endpoints. In cybersecurity, “endpoints” refer to any device that connects to a network. Think of them as entry or access points to your network’s data. These devices could be computers, laptops, mobile phones, tablets, IoT devices, servers, or even printers—basically anything that can interact with or access information through a network. After all, endpoints are where the action is in cybersecurity. However, as we all know, they aren’t the whole story.
With an even more connected world, the concept of a traditional network, enterprise, or cloud setup differs. Conventional approaches to Threat Intelligence will continue to provide gaps. How do you solve them?
The short answer is to fill them with something, but nobody wants to hear it. The honest answer is to make your data work for you. Time and again, as a CISO, I’d grill my vendors on what their data, tool, or platform would do for me regarding the problems I was facing. The best ones would be honest and say, “This won’t fully solve the problem, but it’ll make the picture clearer.” Worldview again, the quality of what you’re viewing is of paramount importance.
You don’t need more data; you need a more complete picture. The starting point is ensuring that you have complementary intelligence to your use case. As you mature, so should your intelligence approach. So here is Kevin’s practical advice for evaluating your Threat Intelligence.
- Know your landscape – Understand your network before understanding the outside world.
- Know your data – What is normal in the land of your enterprise?
- Evaluate where your augmentation is sourced. – Threat Intelligence is meant to augment your tools to understand where the TI data is collected.
- Know your enemies – Who would be the most interested in your organization and why?
Once you’ve had a real, honest look at where you stand, you can consider what is important to you. Always remember that your worldview is what builds your perspective. You have one, I have one, and our enemies have one. The data you consume needs to be aligned with what you want to see.
Stay tuned for our next chat on all things Threat Intelligence!