Event Recording

Why Threat Intelligence is Losing its Edge and How to Overcome Noise Overload

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
I would like to talk about in this today's keynote about fat intelligence as a driver to reduce the noise. Many decoupled tools, many org units are taken care about the remediation of security, exposure of loopholes and actually combine forces. The variety creates a noise overload which drans the focus to the disadvantage of security posture. Now let's have a look into this from our perspective. So sorry. Yeah, that's me. I'm in the IT security space for about 20 years. On customer side, vendor side services side, I spent about 15 years in identity management and five years in cybersecurity Chief that aside. So in regards to today's topic, fat intel is not as at its peak of possibilities. Sorry, it's not gaining the full benefit of the available capabilities. The noise is one of the results out of the overload. So it's time for a change and you might ask yourself A, why change and B, what type of change? Why? Because we're not doing our best. We're not taking the advantage of the available possibilities and the available capabilities. So how come? Let's look at some statistics to the left. You can see in a review the billion spend in cybersecurity strategy and execution. And to the right you understand the cost of a successful attack.
Now validate the year over year increase. The increase of investments in cybersecurity is not equally ensuring a return on invest compared to the increase in incident costs. The cost of cybersecurity incidents is increasing at a high percentage or a higher percentage than the investments. By the way, you might also stop thinking about a return of invest in the context of cybersecurity investments. Bless you. Another review of a statistics explains the same situation from a different perspective. On the left side you can see the number of successful attacks to organizations. So organizations being attacked, about 86% of these attacks were successful. On the other side, you can see the increase again being spent as an investment into cybersecurity measures, into cybersecurity strategy and execution. And one thing you can see right from the spot is the increasing investments is not flattening the curve on the left side. On the left side, it's at all time high. It's at an all time peak. And the interesting aspect is the only thing you can do with your investments right now is you can reduce the increase, but again, you cannot flatten the curve.
The impact for organizations is therefore also obvious being successfully attacked results in a cost of millions. So yesterday in a workshop we had some statistics and the average cost of a successful attack results in Europe in about four point, what was it? 4.49 million euros. And depending on the attack method, that does not include the ransom you would have to pay if it would be a ransomware attack that comes on top of it. And that depends on your particular organization. There are some KPIs which threat actors take into consideration when evaluating the the value of the ransom.
So what are the challenges out of this? So we have three main topics of challenges. So the first one is an environmental challenge. So A and the vast majority, there is no particular visibility of the impending threats, neither for the lateral nor for the imminent threats. There are no strategies, not even multilayered. We are usually in a purely reactive mode. We are awaiting the incident so that we can react according to a playbook we may have developed many years ago. Again, yesterday's workshop was interesting to understand how important it is to have that playbook available but to also replay and practice this playbook. Always knowing that this theoretical incidents you run through within this playbook is not the reality. The benefit and the intention of that particular practice is to have your organization ready to have the individuals ready to have the roles ready within your organization so that they can flexibly and very agile react in time.
They know what to do with whom, when and where the details are. Obviously depending on the type of threat, there are also no controls or these controls are in improvable because, and this is our real life experience, obviously we know about the current IT infrastructure, shadow it, it's not topic forgotten, it is interesting. Third party managed IT is even more interesting. Just a simple example to this one. How many of you think about it? How many of you are outsourcing IT resources for specific objectives? Just think about a marketing campaign of your organization where you need to create a lending page. This lending page is usually not hosted in your own security, in your infrastructure context, it's outsourced to the marketing agency. They are providing these infrastructure as well. But, and that is the important aspect of this. It is your name, it's your brand on the on the title. And if there is an incident in regards to this third party management IT infrastructure, IT is still your brand. It's still your name on the paper.
Another aspect is what we need to understand. The IT infrastructure is constantly changing. New service, deploy new applications, release patches, updates, whatever. There is new services brought in board in by cloud application vendors, et cetera, et cetera. So this is important to understand as well. On the other side, the threat landscape is also constantly changing new vulnerabilities detected new leakages detected new leakages used, exfiltration used all this kind of data which allows threat actors to in invade your infrastructure. Again, this is all constantly changing and this needs to be correlated to each other to understand on a current basis, on an actual basis why a particular threat is imminent or not.
On the investment side, currently we see a very complex time consuming cybersecurity strategy execution. Many tools, many people, many processes, internal external resources being brought in. They need to be lined up with each other, they need to be aligned with each other. And that creates some sort of a, a complex scenario which results into silo offerings with additional costs. So you might think of your strategy as being proper, as being on the spot, but if you think of it, you might come to the conclusion that there are too many different tools in place which do not interact with each other or where the interaction is kind of a very challenging exercise. You either need to provide by yourself or you need to buy an external access expertise. And having said that, I come from an identity identity management background. I'm fully used to these very long cycle projects of months. It is interesting to see that cybersecurity projects of a specific criticality, of a specific severity are also facing long cycles. And that should not be the case because cyber security is often imminent of an immediate aspect and such need to be answered as quick as possible.
So it's time for a change from our perspective because we need to redefine threat intelligence. Threat intelligence is a key word, a topic which is widely used and we need to somehow structure it. So what does it mean? Threat information that has been aggregated, transformed, analyzed, interpreted, has been enriched by multiple different kind of sources, validated sources, trustworthy sources,
Which then needs to have access to the right data. So the individuals working with these kind of intelligence information, they need to have access to the right data for the different layers within your organization. So cyber defense is always an objective and a task for the individualized within your organization. It is an IT topic, yes, but it's also an executive topic. The Cecil level would like to understand what the current security exposure is. What are the current risk? How did we change over the past period of time, like days, weeks, or months that needs to be understood, that would like to be understood. What we're currently looking at is a situation where information is generated with lots of false positive, with irrelevant information. The orchestration is the real challenge though, to develop a profound and personalized situation that generates information of highly precious insights about threat actors, their activities, their methods, their plans and their execution methods. Because these insights can support but also force immediate decisions. Decisions upon facts, facts upon detailed data and information, data and information gathered, analyzed, correlated as soon as possible out of as many possible resources. The silo tools we're currently looking at is you might have a solution for your tax surface discovery or tax surface management. You might have vulnerability management in place and then it starts begin to begin a bit blurry, a bit lose because you do not have any visibility about malicious activity. Activity outside your organization, about your organization, anything which is happening in terms of malicious activities where threat actors for instance are creating a copy of your web application, like a web shop or service, Porwal registration page, whatever there is.
So these are information which have direct impact onto your brand, onto your organization because it damages reputation, reliability, trustworthiness. If you are a very consumer oriented organization, just think about certain activities and breaches from the past where these consumer oriented organizations had the experience of an incident and just look at their stock rate at that point in time. It's a loss of value which is impending from this very little technical aspect of a breach. So the current disadvantages are, it is decoupled, it is siloed. The cross topic correlation requires specific and rare skills of manpower and expertise. You need to have data analysts available, data scientists available who are able to understand the output of the individual silos. And to put this correlation lay on top of it, just to be sure that you have understood the full value of this information and this kind of expertise is rare and I can speak for myself. Finding professionals with that capabilities is quite interesting. It's quite a challenge. On the other side, all these six pillars as you can see here, they are important to organizations. They bring value to organizations because they make organizations understand the external threat landscape, their exposure, and finally the attraction of the organization towards threat actors.
So what's the solution? The kill chain. Actually that's my kind of my five favorite illustration to explain the topic. So just a quick poll, who's aware of the kill chain? Who's not, who's not aware of the kill chain? Who doesn't know the kill chain yet? Just raise hands please. So the kill chain is the description, theoretical description of how an attack is executed towards an organization because the attack itself consists of multiple activities and multiple tasks which have to be executed in a specific sort order.
We can have a talk about outside. So we're here around with with our own booth and we can talk about the details of these individual tasks. But it is important that between stage three and stage four, what we consider the boom time, which means that is the actual point in time of infiltration without execution of that particular malicious situation. This boom time is currently the situation then where traditional approaches reside, they try to identify this impact, they try to identify this infiltration they would like to remediate, avoid. So it is a complete reactive situation. What we are looking at is something which is currently completely ignored because it's a huge asset. So we would like to shift left. We would like to focus also in addition to the traditional methods and approaches also on the aspects where the preparation happens. Because any kind of attack requires intense and very profound and very sophisticated preparation and that can't happen unseen. And there are indicators out there. And these indicators need to be visualized. They need to be gather, correlated, analyzed. And then we need to be made visible to organizations to make them understand what is the lateral risk and what is the impending risk.
So what we recommend, how threat intelligence should be done is a data collection from as many possible resources of various kinds. Not only looking at technological vulnerabilities where you have this correlation towards your IT infrastructure, typically fully automated put put a layer on top of it, put a layer of expectation on top of it and say, okay, so now that I know that a specific system is vulnerable or a software package is vulnerable, why is it so? Why is it important to me? Why is it important to my organization? Because out of this, that landscape observation, the correlation is giving the indication and the evidence that fat actors are using that particular exploit now or not. And that defines a risk scoring and that defines the prioritization during the CSO panel. That was a site note about patch management and the emergency patch management. And that is the situation you would like to focus. You would like to use these 48 hours as effective as you like as possible. You would like to analyze data, you would like to understand the most value out of it, especially the context and the background. You would like to understand why a specific information is of high value and another information maybe not.
And now that you're in in the situation that you have all these very personalized information available you'd like to somehow automate because you would like to take immediate reaction, you would like to take action on the findings, on the results, everything which needs to be done, that there is the due diligence executed accordingly because you would like to a inform everyone in your organization who needs to be informed and you would like like to obviously remediate that particular risk, which leads to huge agility. So the next generation of threat intelligence is a predictive, think of the kill chain, think of the shift left approach. All these activities allows insights about something which will happen or which might happen. And you would like to be in a situation where you would like to remediate that particular might happen situation instantly so that you're not in scope of this. It will happen situation, it should be actionable, it should be highly integrable with your current procedures within your IT organization. Might it be about information sharing? Might it be task execution? Think about a very simple approach saying, okay, let's include this kind of information into our CM procedures or even into the sowa playbook.
It should be personalized. And that's the aspect of noise reduction. You would like to be informed about aspects which apply to your organization, which which are valid to your organization. Think about the newsletter you can subscribe to via email where you receive a growing list of IOCs. It's useless to be honest because it is not according to your organization. So for us, the future is now. So the question you may consider are, are you able to identify your external threats? How confident are you that your current threat response is actually working? What kind of threat intelligence tools are originally integrated and operating seamlessly? That's the most important aspect. And how can you then be on a future proven way to support any kind of IT related and business related operation from a threat ex external threat landscape management standpoint. Thank you.

Stay Connected

KuppingerCole on social media

Related Videos


Recap Cybersecurity Leadership Summit 2022


Key Findings on Malign Information, Misinformation, and Cyberattacks

Ksenia Iliuk, Head of Research at Detector Media, Ukraine tells us about some key findings of their research in the media landscape of Ukraine. Find out what she has to say about Telegram and what it has to do with #cybersecurity .

Webinar Recording

Effective IAM in the World of Modern Business IT

Digital Transformation promises lower costs, and increased speed and efficiency. But it also leads to a mix of on-prem and cloud-based IT infrastructure, and a proliferation of identities that need to be managed in a complex environment. Organizations adopting a Zero Trust approach to…

Analyst Chat

Analyst Chat #149: The Top 5 Cybersecurity Trends - Looking Back at CSLS 2022

Deep Fakes, AI as friend and foe, Business Resilience, Mis-, Dis- and Malinformation: The Cybersecurity Leadership Summit has taken place in Berlin and covered all of this and much more. Martin Kuppinger and Matthias look back on the event and identify their Top 5 Trends from CSLS2022 in…

Event Recording

Assessing your Cybersecurity Tools Portfolio: Optimize Cost, Increase Security

Most organizations don’t suffer from a lack of cybersecurity tools. They suffer from the cost and administrative burden of running too many of these. They suffer from the lack of integration. They suffer from the lack of skills in optimally configuring the tools and analyzing the…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00