InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
"You can have data without information, but you cannot have information without data." This is how Daniel Keys Moran, an American programmer and science fiction writer, sums it up. And it's not like we don't have enough data - quite the opposite. A major problem for information security today is that we are drowning in data, so we may overlook the relevant data. In this blog article, find out what you should concentrate on and what you can safely ignore.
Constant vigilance is needed to deal with security alerts, vulnerability scans and reports of malicious file hashes. It can be quite a challenge to differentiate between real threats and false positives.
The problem of too much data and too little context affects everyone, whether it's with security operations, incident response or vulnerability management. Security experts are often overwhelmed with the amount of data, or worse still, Threat Intelligence is often treated as an independent, almost isolated function and not as an essential component that complements other functions. This means that the people who could benefit most from threat information often cannot access it at all.
You can solve this by using a solution that can be integrated with all the security solutions currently in use. This allows security teams to collaborate in a more networked and flexible way and to have access to the same information. How often does a team receive extraneous information that may be valuable to another team? Using valuable information from an intelligent threat intelligence solution, you can act much faster to prioritise patches from SIEM data or vulnerability scans or get a clearer picture of how to respond to an incident. What is important here is that the right people get the right information at the right time. It is time to break down the walls between isolated security features and provide everyone with direct access to threat information. Why? The following (at least) four reasons justify this.
When assessing warning messages, it is important to understand that alerts are usually not triggered by a single event or activity. They are generated when multiple events show unusual behaviour, compared to the established baseline. However, everyday security teams are faced with a plethora of warnings but on average over 40% of warnings are not examined. It is very time-consuming to search through them all manually, and often you just don't have the time to do so. With an integrated threat intelligence solution, alerts are immediately prioritised.
Unfortunately, the "patch everything, all the time" paradigm is not realistic anymore in today's threat landscape. Too many vulnerabilities are constantly popping up, but not all of them are genuinely critical or are being (or have been) exploited effectively by cyber criminals. And the same applies in other respects as well – it is not always necessary to patch everything «immediately». In all probability, your own network contains only a fraction of the really high-risk vulnerabilities. By linking vulnerability scans to threat intelligence, you can quickly identify what vulnerabilities are actually critical and need to be resolved immediately.
Do you find it easy to distinguish false alarms from real threats? We would venture to say that this is a challenge both for you and for many others. Analysts also often waste a lot of time working through all the false alarms, especially when the indicators lack context and do not really provide many clues.
Initial investigations often rely on File Reputation Services, but these provide too little information for malware analysis to be able to detect the whole background. Threat Intelligence accelerates this process tremendously, allowing you to make better use of your analysts' time.
It takes a long time to manually examine every warning, and as you know, time is money - even in cyber defence. It doesn't matter whether there is just one analyst or an entire team, nobody can keep up with the flood of threat information. They must be supported! Threat intelligence solutions like Recorded Future can immediately identify and organise information about categories such as hashes, IP addresses, domains or vulnerabilities. This not only saves you time but also a lot of stress.
To sum up, we can say that each problem ultimately arises from two fundamental shortcomings:
… in worst-case, it could even be both.
To reiterate the quote at the beginning: the really relevant information is hidden outside, somewhere in the mountains of data. Often it is simply impossible to access it in time - this can be very dangerous and even critical for business in the event of a cyber attack. Recorded Future breaks down the walls between isolated security features and provides direct access to relevant threat intelligence information. This is one of the reasons why our analysts at our Cyber Defence Center rely on Recorded Future! Request your demo now!
... and very conveniently in your inbox! Let our cyber security & cyber defence Blog be your source of information and stay up to date. Become a subscriber now and you can benefit from insights, tips and hints!
Our qualified cyber threat analysts are looking around the clock at the threat situation and analyse information from the Darknet, Threat Intelligence feeds and many other sources. With our service, you get the ultimate foundation for business intelligence and proactive protection for your business assets.
Interested? Then download our brochure.
* In cooperation with Recorded Future