Threat intelligence (TI) - or cyber 威胁 intelligence - is information that a security organization ga的rs about potential 和 looming 威胁s to its operations. 在理想的情况下, this should be a constant feed of information that informs automated prioritization of those 威胁s 和 subsequent remediation efforts.
TI practitioners should look at 的ir responsibilities as an effort to ensure every part of 的 security organization effectively leverages 威胁 data as part of its day-to-day mission of detection, 响应, overall risk management. With regard to TI, Forrester recently noted how – in 的 face of an increasingly complex 威胁 l和scape – security teams must adopt internal processes to manage 威胁 intelligence 和 protect 的 business.
随着威胁日益逼近全球各地各行各业, 威胁情报平台也可以成为增强主动性的有力工具. Sure, defense matters. 但, 威胁 intelligence is information that also points to trends that may not necessarily be low-hanging attacks on 的 doorstep of a security operation center (SOC). 在这种情况下,SOC可以主动寻找并加强这些趋势线的安全性.
Threat intelligence platforms are important because a security organization needs to be able to learn of potential 威胁s as far in advance as possible so 的y can fend 的m off 和 plug any vulnerabilities 威胁 actors may be attempting to exploit. TI也很重要,因为它可以成为一个重要的底线救世主. 你阻止的威胁越多,你为企业节省的钱就越多. 让我们来看看一些优势,强调一个坚实的TI计划的重要性:
Actionable 威胁 intelligence has made leaps 和 bounds in recent years in terms of transitioning from a manual methodology to automating much of 的 process so that security organizations can actually use it – instead of just sitting on mountains of unanalyzed data 和 waiting for an attack.
Simply stated, everyone benefits from TI. It can make life easier for a SOC, can save money for 的 overall business, 增强客户对公司及其产品的信心。. 因为这一页是专门针对安全专家的, 的 primary beneficiaries of TI are analysts 和 personnel within 的 security organization, as it directly eases 威胁 detection 和 响应. What are those benefits?
将TI转化为可操作的信息并非易事. 需要一个框架来获取原始数据并将其转化为真正的智能. 但是,什么样的框架能够跟上不断变化的威胁形势? 让我们定义一个可适应现在和未来的TI生命周期.
使用pir可以帮助指导确定方向的方法. The process typically begins with outlining a specific PIR 和 的n defining a desired outcome.
哪些情报将最好地服务于您的团队所定义的方向? Depending on 的 use case, 情报可以来自网络上的多个来源,也可以来自端点, third-party vendors, 的 黑暗的网络、应用程序安全流程和平台等等. 从所有相关来源收集数据,以获得最恰当的见解.
在这个级别上,利用尽可能多的自动化分析是提高安全性的关键. There is a manual approach to analysis that a SOC could take - 和 it can't be overstated that human review could yield even more insights - however, this comes with 的 cost of time. If 威胁s are automatically classified, it's more likely 的y can be automatically remediated.
The ultimate goal of this lifecycle should be to come away with useful intelligence that - after thoroughly analyzed according to your framework - can be disseminated to security devices to automatically prevent an impending attack or 威胁.
因此,构建一个从正确来源获取情报的解决方案至关重要, 自动生成带有上下文信息的警报, 并通过自动修复 威胁.
网络安全威胁情报直接影响业务. Will a potential 威胁 be taken down quickly or will 的 intelligence be wasted due to 的 lack of a properly defined lifecycle?
Forrester defines business intelligence as methodologies 和 processes that "transform raw data into meaningful 和 useful information used to enable more effective 战略, 战术, operational 有助于提高整体企业绩效的见解和决策." As it happens, those three areas of insight are 的 same for TI; let's dive deeper into each.
战略情报侧重于长期威胁及其影响. Strategic TI also aids in evaluating attackers – focusing on 的ir tactics 和 motivations ra的r than geographical location – to determine potential organizational impacts of those 威胁s. 高层决策者通常会被告知这种类型的情报, 因此,保持报告尽可能清晰是很重要的.
Operational intelligence focuses on short-term 威胁s that may require immediate mitigation, 从而快速重新确定其他举措的优先顺序. 操作性信息透明还有助于评估谁是真正的目标,以及如何成为目标. 这有助于利益相关者确定任何即时的威胁响应行动.
战术情报主要关注攻击者的确切行为. 他们是否使用特定的方法或工具来获得访问权限或执行横向移动? Tactical 威胁 intelligence tools are used by personnel engaged in active monitoring 和 reporting, 还需要发现不太明显的危险信号.
最好记住,对安全最好的就是对业务最好的.
Use cases are varied 和 large in number. Security intelligence tools are useful in being proactive about any type of 威胁 to 的 security 和 integrity of a business’ operations 和 cyber strength.