alphaspirit - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Building a strategic threat intelligence program

This week, bloggers look into strategic threat intelligence, cloud migrations and the correlation capabilities of SIEM versus UEBA.

Jon Oltsik, an analyst at Enterprise Strategy Group in Milford, Mass., looked back at ESG research conducted in...

2015 on strategic threat intelligence at enterprises. That research revealed that many enterprises had comparatively immature programs, with 40% having threat intelligence programs in place for only two years. Among respondents with programs, 38% cited improving automated incident prevention as a primary goal, aiming for better indicators of compromised IP addresses and web domains. Additionally, 33% of respondents wanted to work on automating security operations and remediation, while 28% said they wanted to establish a centralized threat intelligence service to steer cybersecurity activities.

In the race to achieve strategic threat intelligence, Oltsik said many of these priorities have not changed substantially since 2015. According to Oltsik, "leading edge" organizations are beginning to think of strategic threat intelligence, rather than threat intelligence alone. Strategic approaches can include tracking potential adversaries, hunting for threats and communicating about business risks. "Finally, proactive organizations are well along the way to integrating threat intelligence into a more universal security analytics and operations platform architecture," Oltsik said. "This can help them contextualize, enrich and act upon important intelligence across disparate security operations tasks in a timely manner," he added.

Read more of Oltsik's thoughts on strategic threat intelligence.

Cloud portability vs. leverage

John Burke, an analyst at Nemertes Research Group Inc. in Mokena, Ill., discussed workload migration for the cloud. Some of the basic approaches being discussed today are replatforming, rehosting and rearchitecting. Rehosting shifts virtual machines from an organization's data center to an IaaS model, a practice popularly known as "lift and shift." Replatforming goes a step further, transitioning resources such as database servers to a PaaS model, overseen by Google, Microsoft or Amazon. As these shifts happen, many organizations face trade-offs between labor and leverage. Groups worried about vendor lock-in and short on staff may turn to tools from cloud providers to gain leverage. Organizations more concerned about lock-in than their labor capabilities may opt to deploy tools themselves.

According to Burke, the interest in leveraging services may be driving interest in IaaS and PaaS. According to a recent Nemertes survey, 50% of organizations using PaaS amplified their use of PaaS options by a factor of four, increasing their reliance from 3% in early 2016 to 11% in 2017.

Explore more of Burke's thoughts on cloud transitions.

SIEM and UEBA compete on correlation

Augusto Barros, an analyst at Gartner, explored the competition between user entity behavioral analytics (UEBA) tools and SIEM options. According to Barros, SIEM correlation is weak and reliant on simple boolean event chaining. As a result, SIEM systems have difficulty spotting suspicious activity unless they are programmed to search for a specific type of attack. As a result, SIEM use cases often come down to filtering and aggregating.

In spite of more modern protocols available, Barros views SIEM as more simplistic than UEBA models. SIEM correlation typically generates alerts for each situation, treating potential threats as isolated. Some SIEM products, such as Qradar, are capable of aggregating potential threats based on timing and IP addresses, but Barros said this product is primarily intended for aggregation and reducing the number of alerts rather than correlation. "SIEM correlation is still useful, but we need to recognize its limitations and embrace the new capabilities of new tools such as UEBA to improve that. As we've been talking, SIEM and UEBA are getting closer every day, so now it's just a matter of time before SIEMs move (or give the option) to track issues based on entity scores. But if you want to have that now, you should look at UEBA tools," Barros said.

Dig deeper into Barros' thoughts on SIEM and UEBA. 

Next Steps

Boosting preparedness with threat intelligence

Choosing between IaaS and PaaS

Using SIEM to spot potential attacks

Dig Deeper on Network Access Control