According to ESG research from 2012, 65% of enterprise organizations (i.e. more than 1,000 employees) used external threat intelligence as part of their information security analytics activities (note: I am an ESG employee). The two most popular threat intelligence types were related to vulnerabilities and malware (each is consumed by 63% of organizations that use external threat intelligence).
Maybe it’s me, but threat intelligence seems even more relevant today than it was two short years ago. Technology vendors like Blue Coat, Cisco, IBM, Symantec, and Trend Micro emphasize the strength of their threat intelligence and bundle it into product sales. Others like Webroot follow the same path but also invest in threat intelligence as a product and OEM it to other vendors. New firms like BitSight, Norse, RiskIQ and Vorstack have taken threat intelligence in new directions, focusing on industries, threat actors, outside-in use cases and business metrics.
In addition to the supply side, there is plenty of momentum around threat intelligence sharing on an industry level. In June, the Government Communications Headquarters (GCHQ) announced a plan to share intelligence with communications companies while several verticals announced plans to develop or enhance industry Information Sharing and Analysis Centers (ISACs). In the meantime, more and more threat intelligence feeds are adopting common methods for threat intelligence sharing like the Structured Threat Intelligence eXpression (STIX), Trusted Automated eXchange of Indicator Information (TAXII), and Cyber Observables (CybOX) standards from the U.S. Department of Homeland Security (DHS) and Mitre Corporation.
Yup, there is real progress going on, but anyone with more than a few years of experience can anticipate the next problem on the horizon. Pretty soon, enterprise organizations are going to collect dozens of threat feeds in various silos throughout the enterprise. When CISOs realize this is happening, they will want to centralize all threat feeds, correlate them against each other, compare external and internal data, and generate consolidated reports for security analysts and business management.
The good news here is that a few prescient vendors are already anticipating the need for threat intelligence consolidation and addressing this requirement in creative ways. For example, Check Point Software is addressing into this nascent area with the announcement of its ThreatCloud IntelliStore in May. Along with partners like iSight, CrowdStrike, NetClean and ThreatGrid, Check Point is building a marketplace where customers can choose and customize threat intelligence from multiple sources. Microsoft also jumped into the threat intelligence sharing pool with a new cloud-based offering called InterFlow that sits on top of MS Azure and supports all of the DHS/Mitre standards. Microsoft’s cloud-based resources and scale may be a good fit for industry ISACs and large organizations trying to cope with explosive threat intelligence growth.
Check Point and Microsoft may be ahead of the threat intelligence sharing game but things are evolving rapidly. So what’s next? As more threat intelligence sharing offerings emerge, the next logical innovation will come in two areas:
- Analytics. Aside from ease-of-use, scale, and strong consolidation, leading threat intelligence consolidation vendors will certainly add advanced big data security analytics. For example, Microsoft could partner with one or several analytics specialists like 21CT, Leidos, Lexis-Nexus, Narus, or Palantir to extend InterFlow.
- Automation. Check Point can already turn ThreatCloud intelligence into risk mitigation actions within its network security portfolio by generating new firewall rules and IDS/IPS signatures on the fly. This type of automated remediation will become standard operating procedure to help enterprises address the combination of advanced threats and precipitous increase in network traffic.
Threat intelligence is following a familiar IT lifecycle, but the final chapters of the book have yet to be written. This means we are likely to see further consolidation, advanced use-cases, and continuous innovation. Smart CISOs who come along for this ride will find inventive ways to mitigate risk, educate business executives on cybersecurity, and improve incident detection/response.