Making Sense of a 'Threat Intelligence Platform'

Recently while minding my business at a trade show, a passerby turned his head towards my booth, scanned the Anomali banner behind me proclaiming our status as a Threat Intelligence Platform, and blurted out “You’ve got too many buzzwords!”. As my self-righteous accoster scurried along I found myself thinking over how jaded people can become when they dismiss concise messaging as distilled nonsense.So why isn’t “Threat Intelligence Platform” distilled nonsense? To find the answer, start at the source and follow it to its end. In the case of ThreatStream, that source is a flow of raw data that is literally inhumanly possible to review. To reach the end you need to follow how the business proceeds from the data.Something I find that helps frame this answer is a DIKW pyramid: short for Data, Information, Knowledge, and Wisdom. Here’s an example:<img alt="" src="https://cdn.filestackcontent.com/ayxkBm9QRJu1noKgvU2y"/>The idea behind this pyramid is to help you identify and achieve the ultimate value a pool of data offers: wisdom. Getting data is easy; following the path to achieve wisdom is hard. You can get there if you know how to turn the Data into Information from which you then derive Knowledge.The problem with Data is familiar to anyone working in computer security: there’s plenty of it. Everyone dealing with cyber security is trying to manage the data, but data has no inherent value unless you can use it. The raw data that our Threat Intelligence Platform, <a href="https://www.anomali.com/products/threatstream">ThreatStream</a>, starts with are the IOCs available through a multitude of open source and premium STIX/TAXII feeds. Many feeds are available for free and nobody needs ThreatStream just to view them. Anomali even offers its own free feed reader, <a href="https://www.anomali.com/community/staxx">STAXX</a>, for just this purpose.You have the feeds and now what? Hundreds of thousands of IOCs pour in every day; many IOCs appear across multiple feeds with different pieces of intelligence and conflicting confidence scores. If you seek out a specific IOC, what do you make of the conflicting and overlapping information? What do you trust? How long do you invest in figuring it out?What you need to do is gain value from the data and move up the pyramid: turn the data into Information. With ThreatStream, that comes through the process of aggregating, reporting, and organizing the breadth of data with the IOC as its nexus. For each IOC, ThreatStream removes duplicate entries to condense the IOC into one reported observable. This observable further connects with associations and enrichments from the Threat Model, Threat Bulletins, and third-party tools. ThreatStream then generates its own confidence score on each independent feed source for that IOC before generating a final confidence score based on the corpus of data. This work is valuable, but it still leaves you with a body of work that is inhumanly possible to review in total. It makes for great reference material, but your real goal is to find a better way to utilize it.The move from Information to Knowledge is this big step in utility and relevance. Whereas information is useful for putting perspective on the past, cyber security professionals are not going to be content with reviewing detailed reports describing the nature of the threat landscape, nor will they be happy simply leveraging those reports to describe an attack that ran unseen and rampant in their IT infrastructure for a month. The goal is to make use of that information.In the case of ThreatStream, you can export a high-value set of these IOCs into your own monitoring tools like your SIEM. Having extracted the active threats that have the highest confidence and severity out of ThreatStream, you can search for matches from that feed against your systems’ log data, which ThreatStream does in native SIEM apps. Next, you will want to drill into those hits to assess the threat, combining the vast store of information ThreatStream assembles for you with deep understanding of your internal environment. In pushing the IOCs that matter into a SIEM and analyzing the hits, you are able to assess the true risk to your enterprise and take the appropriate next steps. This operationalizing of the information is what moves you into the realm of knowledge. You are now able to identify the greatest threats on your company’s security landscape and act accordingly.For many organizations, just getting to Knowledge on the pyramid is value enough given the return on investment in staying ahead of attacks. Still, smart organizations know that it’s not enough to have effective operations; an effective strategy must drive those operations. Given the threat landscape and an organization’s ability to respond, leaders consider their existing security footprint, they assess their ability to respond, and they gauge the ability of security operations to protect the enterprise while supporting the culture that makes that enterprise unique, innovative, and profitable. This is the realm of Wisdom.Security must support the business, and it can’t be seen to get in the way of the business. Just as you can’t leave your IT systems wide open, neither can most organizations lock everything down. Between these two extremes enters the analysis that leads investment and policy. With ThreatStream keeping you on top of the threat landscape, it gives you the footing to see whether you have the right mix of tools, personnel, and procedures. Why are you buying that equipment? Why are you embarking on that new policy? How have your previous investments and planning worked for you? What should you do next?Good strategy comes from seeing the patterns of developing threats measured against your existing ability to protect the enterprise. Anomali ThreatStream shows you the ever-changing security landscape so you can plan your resources out of the visibility that comes with a Threat Intelligence Platform to drive your security footing. Through this you achieve the pinnacle of the DIKW pyramid.