Devo is a sponsor of TechSpective
Cybersecurity is challenging. It is a daunting exercise to protect a complex hybrid cloud infrastructure from a rapidly evolving and expanding threat landscape. Organizations invest significant time, money and resources to deploy and manage a suite of firewalls, endpoint security, intrusion detection, and other cybersecurity tools, and yet network compromises and data breaches still occur at an alarming rate. Threat intelligence gives organizations an edge to stay one step ahead of attackers—but the threat intelligence must be relevant and coupled with the right context.
Challenges of Threat Intelligence
Cybersecurity threat data can come from a wide variety of sources. There are open source community feeds and paid threat intelligence services, ranging from a simple list of domains, IP addresses, or malware hashes, to more sophisticated intelligence, such as behavioral indicators.
Regardless of what threat intelligence data you have or what the source is, it’s imperative to have context. It is not practical to treat every potential threat the same. You must consider threat intelligence through the lens of your unique situation—focusing on attacks that are relevant for your industry or region. Valuable cyber threat intelligence is derived from properly curated, context-driven threat data—ideally focused on specific targets or adversaries.
The biggest challenge with threat data is the ability to accurately correlate and assess it all. Analyzing threat data from multiple, disparate sources requires understanding the time period that a given piece of threat intelligence is valid, and aggregating and curating multiple sources, with multiple different formats and levels of currency.
Better Threat Intelligence with MISP
There are many groups and companies out there trying to gather and share threat intelligence, and many companies trying to create their own threat intelligence program from scratch. Some share threat intelligence through Word documents, PDF files, or perhaps a CSV file that contain indicators of compromise (IOC). There are also various standards that have been developed, like STIX. The problem for organizations trying to correlate the information into something worthwhile is that each approach to threat intelligence has its own criteria and taxonomy.
That’s where MISP comes in. MISP set out to democratize cyber threat intelligence. It is a free, open source platform that allows participants to gather, share, store, and correlate indicators of compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information and even counter-terrorism data.
The beauty of MISP is that it takes a pragmatic approach to threat intelligence—allowing input from any taxonomy or industry standard and outputting it to various popular standards. It enables you to make sure your indicators are shared in the right circle of trust, and, best of all, it allows you to speed correlation and analysis and automate enrichment of the threat intelligence.
For the most part, data sharing is not a technical issue. There are many barriers that prevent organizations from sharing threat intelligence data. Some businesses may feel they don’t have anything valuable to share, or they don’t have time to correlate data. MISP helps organizations address the challenge that their view of the world and what constitutes a threat may be very different from others.
One of the keys is for organizations to have a platform for sharing information. Attacks often target similar organizations or industries. Threat intelligence from within a group of peers or trusted partners can be invaluable. In addition, collaborative analysis between organizations can prevent redundant effort. MISP uses access control lists (ACLs) to enable participants to manage who they share with and what data—and from what sources—they want to receive.
Threat Intelligence at the Pace of the Cloud
MISP is a tremendous platform for threat intelligence sharing and consumption. However, the dynamic nature of hybrid cloud environments and the sheer volume of data make it challenging to effectively collect and correlate.
The Devo Data Analytics Platform integrates with MISP to address this challenge. It is an engine for machine data. It is built for the cloud and scales to keep pace with the various sources of potential threat intelligence. Devo built a MISP Data Proxy to stream events from the MySQL database to allow for scalable, automated analysis of IOCs.
Organizations need threat intelligence—but it needs to be relevant threat intelligence with the right context, and it needs to be properly curated and correlated to be valuable. MISP and Devo work seamlessly together to improve and automate threat intelligence for better cybersecurity.