Effectively Using Threat Intelligence
Credit to Author: Ken Xie| Date: Mon, 13 Feb 2017 06:09:18 -0800
Yesterday, Fortinet and the other founding members of the Cyber Threat Alliance announced the establishment of the CTA as an independent organization. It’s an important, unified step forward in the global battle against cyber criminals.
If we want to get ahead of cybercrime, we must share information. A collection of companies working together to collect and share intelligence will always have better visibility into the threat landscape than one organization on its own. Seeing new threats as soon as they emerge increases our ability to respond and protect valuable resources.
There is a lot of raw data available to organizations, from both global sources and within their own networks. But that’s just half the battle. Unfortunately, most security infrastructures were not designed to effectively consume, correlate, and distribute the increasing volume of information available.
For threat intelligence to have a real impact on cybercrime, you need to consider three things :
1. You need to start with good threat intelligence
There are a lot of threat feeds available to organizations. But much of the data they provide is redundant, has little to no context, and often requires a significant amount of processing. This is one of the reasons Fortinet began the Cyber Threat Alliance. We recognized that growing cyber threats place the entire global digital economy at risk. Our mission is to share reliable and usable threat information between member organizations and their customers.
Using the newly announced Cyber Threat Alliance Platform, CTA members are already sharing tens of thousands of active threat intelligence threads each week. And in addition to raw data, CTA members also contribute unique threat insights and context to increase the usefulness and value of this threat information. This enhanced intelligence allows us to create a more comprehensive picture of threats that can be converted into consumable and actionable updates.
2. Intelligence is only as good as your ability to use it
Threat intelligence from organizations like the CTA also needs to be integrated with the data collected and correlated inside your own organization. Effective security tools need to work together to gather, correlate, and provide visibility into your local threat environment.
This actionable information then needs to be converted into actionable policies and distributed across your ecosystem of traditional networks, including public and private cloud environments, and your growing number of endpoint and IoT devices.
Unfortunately, many IT teams already have to monitor and manage a wide range of separate security consoles tied to dozens of isolated security devices. These tools were never designed to share information, which means that while the speed at which the network needs to operate continues to increase, your security team is still manually correlating an increasing volume of threat information. And for many organizations, the addition of cloud networks, IoT devices, and additional threat feeds simply creates more complexity.
3. Security needs to operate at the speed of your network
Today’s digital businesses need security tools designed to operate at the speed of business. They cannot afford to trade protection for performance in any segment of the network.
But as the volume of devices and data continues to grow, it becomes more and more difficult to inspect and process the traffic flowing into and through your network. About 75% of all traffic moves laterally, or east/west between physical and virtual devices, at speeds far beyond the capabilities of most security devices. The speed required for critical business decisions means that many legacy security tools have become roadblocks.
Organizations need security tools designed for today’s network demands. You should never have to choose between performance and protection.
You need a new strategy
Today’s security needs to span your entire environment, providing unified visibility into IoT and endpoint devices, access points, the network core, the data center, the cloud, and even applications and data. It needs to be powerful enough to meet the demands of today’s digital businesses. And given the speeds at which today’s attacks happen, security devices also need to work together to automatically respond to threats without waiting for human intervention.
This can’t happen with the traditional model of simply deploying additional isolated security devices and platforms every time your network changes. What is needed is an integrated, architecture-based approach that matches the changes you are making to your network. You need a security strategy that unifies your security tools into a single integrated system, sees every device connected to your network, dynamically assigns them to appropriate network segments, synchronizes threat intelligence between different security technologies to better respond to threats, and automatically adapts to network changes.
This is why we designed the Fortinet Security Fabric. It is a comprehensive security framework built around a unified OS, an open API architecture, and single pane of glass management that allows you to more effectively collect, correlate, share, and respond to critical threat intelligence. When security devices can work as an integrated system, you can immediately identify, isolate, and remediate affected devices anywhere in your network, automatically find and remove malware, and orchestrate security policy updates everywhere, from IoT to the cloud.
Fortinet is proud of the progress the Cyber Threat Alliance has made, and we are committed to our ongoing support and participation in the Cyber Threat Alliance. We are also committed to developing and delivering tools that allow you to more effectively use that intelligence to better protect your organization.