安全团队疲于应付威胁数据的巨量。While a decade ago no one was talking about threat intelligence except government agencies, organizations are now bombarded with threat data leaving them challenged with identifying what is relevant.
汇总数据需要观念的转变,为了一个成熟的威胁情报,以便更好地规避风险。
专家说,对于有数据的目的,收集的数据没有任何好处,并且可以使用时间和人力来分析是最常见的噪音,而不是威胁的实际指标数据实际上减损安全情报计划。
如果企业的长期目标是拥有成熟的威胁情报计划,他们需要进行内部风险评估和设计行动计划。
托梅尔·施瓦茨,安全研究主任,Adallom实验室指出,“威胁情报是不看的所有数据。威胁情报是新的,和产品正在改变。可以理解,只是封堵的产品是不会帮助非常重要。威胁情报是关于让尽可能多的数据对当前威胁,因为我们可以,而不仅仅是当前的数据“。
无视历史数据俯瞰着丰富的信息,可以通知安全保卫方案,使企业抵御更广泛的事件信息。Schwartz说,“在当前的安全状态,攻击者会成功。新的数据和历史数据的相关性不会发生不够和企业都害怕的合作。”
答案是不是在问题投钱,而是自行了解不同的平台,这将有助于其特定环境的需要。
大多数安全团队无法做出有价值的利用他们的威胁数据的,因为仅仅是太多了。处该数据产生的速度来分析所需要的脑功率是力所能及不可能的。
“Humans can’t ingest the data at a rate that is meaningful,” said Anne Bonaparte, CEO, BrightPoint.
“有很多的威胁数据的新途径加以传播。我们面临的挑战和机遇是信息的泛滥。它已经成为一个经典的大数据问题,因为人类无法摄取在这有意义的速度。”
This数据的泛滥经常会留下安全分析师挣扎。
Commercial vendors, including ThreatQuotient, TruSTAR, BrightPoint, Webroot, Norse, and Adollom all agreed that threat intelligence has become a dig data problem.
Threat intelligence is only valuable if a security analyst can make use of the data, and programs that produce lengthy reports do little to move threat intelligence forward.
试图削减数百个百万个数据点,以确定此事需要大量的时间和人力数千人。山姆Glines,挪威的首席执行官说,“如果你有一个10页的综合报告,告诉你所有的漏洞,第二个是打印报表,它已经过时。”
雨后春笋般的补充道,“威胁情报,也是强度rnal threats, not just rogue employees but machines and devices that are rogue. It’s also employees that don’t know any better.” Enterprises need to do an internal audit to understand their internal and external vulnerabilities because they can’t protect themselves if they don’t know what they are protecting against.
“It’s important to understand the attack life cycle, and there are free and open source information feeds out there. The problem with open source feeds is that they provide a lot of information that is not always valuable.”
More boutique vendors will be able to provide companies with more valuable and accurate information that will assess intelligence and invest appropriately based on customer needs.
与所有的漏洞和转换正在发生的网络安全,特别是企业更多地依赖云服务提供和应对不断变化的基础设施,一些企业可能还没有准备好把重点放在风险评估。Glines还表示,“供应商可以工作快了很多,如果风险评估已经完成和计划到位。”
As companies continue to move to the cloud, threat indicators are changing, so how can enterprises boost threat intelligence and mitigate risks?
Glines说,“公司需要明白,什么是最重要的是数据和保护这些数据。各地的资产对齐方案是最高优先级。知道我的高风险数据驻留“。更重要的是,企业应该明白,并非所有的数据是有价值的。Glines建议,“评估情报并适当地根据投资的需要。它是没有效率的问题,只是扔技术“。
山姆Glines,北欧的CEO
Knowing their environment will also allow them to recognize anomalies in behavior, and behavior analysis is a valuable piece of threat intelligence. Mike Banic vice president of marketing, and Wade Williamson, product marketing director at Vectra, said “Indicators are things that you are not familiar with. They are going to start the game new, fresh, with things that have never been seen. It’s not what malware is, it’s what the malware does. Actions that the malware took are what’s important.”
Grayson Milbourne, security intelligence director at Webroot, said, “Authors understand that to defend against something it needs to be observed at least one time. Someone has to see what you are doing to know how to defend against that.” One of the greatest challenges in trying to defend against grand scale attacks is that once a signature has been identified and shared, the bad guys have created a new application.
分享大规模商品的攻击签名信息,有助于最大限度地减少漏洞和淘汰更大的威胁。如果企业能够找到他们的活跃阶段入侵者,他们已经停止了罪犯被窃取数据之前的机会较大。
Bonaparte advised, “Compare with what’s going on in your enterprise and communities of interest. Take advantage of knowledge in vertical communities and supply chains and access what’s going on behind the scenes to identify the relevant data to your context and environment.”
知识就是力量不是陈腐的表达应该看威胁的情报时被忽略。Milbourne说,“他们都知道的越多,他们就越有可能不是牺牲品。安全意识往往比较成本是有效的,而且它的安全情报的基本组成部分。”
什么是所有企业最重要的是要知道哪些事项他们自己的环境。共享威胁情报信息,识别已知风险有帮助的,但Milbourne说,“我们需要寻找在这些威胁是如何经常在世界上遇到的。的威胁,百分之八十,甚至没有了盛行“。教育本身有关可用的服务和具有量身定制的威胁情报计划具体到他们的环境将有助于需求。
随着越来越多的行业发掘更多的需求,威胁情报将继续增长和发展,以满足企业的需求。瑞安特罗斯特,管理主体,ThreatQuotient说,“威胁智能感知系统需要迎合大众,这确实不是现在。企业需要资源,而一旦他们有资源,他们需要一个平台来存储和管理他们的数据。”
如果企业都四处购物为供应商,得分是一种工具,将个性化的平台。特罗斯特说,“展望未来,进球将是至关重要的。它应该是从客户中心的角度,而不是嵌入的智能分数“。
This story, "Threat intelligence needs to grow up" was originally published byCSO 。