Cybersecurity has always been about the intelligence that powers the tools. It’s this intelligence that battles the minds that make malware.
The epicenter of the battle is identifying and analyzing threats, or threat intelligence. What makes it threat intelligence, rather than threat data, is analysis.
Analysis is the label on the museum wall that tells you why the artifact matters. It’s the intelligence that blends context with object, giving meaning to mere things. It’s the bridge between information and action.
To understand why threat intelligence will be so crucial in cybersecurity’s future, we need to visit the museum of its evolution.
More innocent times: The noughties
Mulholland Drive was in cinemas; Shaggy and Destiny’s Child sold CDs by the bucket. Email was standard for business, but less so for personal use. Anyone geeky enough to ‘surf the net’ for fun might visit an internet café to use a coveted, futurist desktop iMac. A revolution in attractive hardware, it looked like the candy-colored offspring of motorcycle helmet and refrigerator produce compartment.
The precursors to threat intelligence started appearing at this time. First, there were IP and URL blacklists. Security software like Security Information and Event Management (SIEM) systems, and next–generation firewalls (NGFWs) used the blacklists to give alerts and reports. Security researchers manually searched for threats and sent daily updates to customers.
The bright, new digital past: 2010
It was the year Iceland’s Mount Eyjafjallajökull grounded flights across Europe with a cloud of ash. Everyone was talking about Wikileaks and the Arab spring. Facebook and Twitter had become household names, but were far less used by marketers and brands.
The dark web and malign activities were exploding, showing the limits of the day’s security software. It wasn’t designed to process the number of Indicators of Compromise pelting down like a deluge of frogs. They couldn’t identify and process the dust storms of malicious domains, IPs and other threats.
The cybersecurity industry responded. Machine learning and artificial intelligence (AI) could automate and correlate data on a new scale. With millions of sensors, their data feeds netted oceans of information. They processed and analyzed it with big data tools. These systems began to be used to perform complex detection covering all attack surfaces. And the big data technology gave birth to the idea of threat intelligence.
Machine meets human: 2015
It was the year of Je Suis Charlie, as many sided with French satirists against terrorism. 195 countries reached agreement over the Paris Climate Accord, but the color of a dress divided the world firmly into two camps.
Threat intelligence evolved again. That big data technology was blurting out far too many false alerts. Cybersecurity needed its humans back.
Security experts overseeing intelligence collection could reduce false positives and better see threats and attack methods specific to their organizations. It meant faster detection and response, and a change of emphasis to finding and prioritizing vulnerabilities.
The world we now know
From 2018, the threat intelligence industry ballooned. Hundreds of new companies popped up, offering targeted services focused on data quality. Their goal was to give guidelines for decisions and actions. The companies buying threat intelligence products and services started using them more effectively, for example, adapting their data collection for security needs.
By 2019 the industry had adopted a shared understanding of what threat intelligence means. Bear with me – this chain has a few links. Threat intelligence means multiple sources giving relevant, targeted data. The data must be converted into information that can be immediately used. It must be integrated into an organization’s security operations through a single entry point, and communicate seamlessly with their existing security controls. Its unique insights on emerging threats will let security teams prioritize alerts, maximize resources and make fast decisions.
And what of 2020 onwards? The market is still growing. Research suggests threat intelligence could be worth 13 billion US dollars by 2023. Ever smaller organizations are starting to use threat intelligence.
But in the main, this will be a new era of cooperation. To be more comprehensive, cybersecurity vendors are already integrating their products and services with others.
Sharing best practice will be the new normal, leading to better defenses against rising threats, such as malware-less attacks.
Cybersecurity will move from reactive to proactive, while the role of security teams in organizations will grow. They’ll interact more at all levels and with all business groups. They’ll become responsible for delivering proactive threat intelligence that not only protects, but identifies risk and shapes business goals. Threat intelligence will effectively predict and prevent attacks at the earliest stage, and sooner or later, underpin the whole concept of proactive cybersecurity and organizational risk.
This article was published in April, 2020.