Threat intelligence is a term frequently misused and applied too broadly, to the point where no one really knows what they are getting. Threat intelligence may be an overhyped security buzzword, but a former Forrester analyst said developers and administrators should pay attention to how APIs from various providers can help them use threat intelligence effectively.
"In a world where everyone offers threat intelligence, all threat intelligence is not created equal," said Rick Holland, a former principal analyst at Forrester Research who recently joined threat intelligence provider Digital Shadows as the vice president of strategy. Threat intelligence fails when the organizations are bombarded with details and indicators they cannot use. "Relevancy is missing most of the time," Holland said.
Organizations are critical of threat intelligence because they don't see how the indicators they receive are relevant to their organizations. The feeds contain details that aren't for their geographic location, don't match their industry, and don't fit their threat models. They are "more indicators of exhaustion that overwhelm users," Holland said.
Imagine threat intelligence as a funnel, with a lot of different pieces of information from a variety of sources going in. Some of the sources could be based on proprietary research, and others could be public data feeds published by other organizations. Digital Shadows, for example, scours more than 100 million data sources across the visible, deep, dark Web and other online sources. That's a lot of input, and the funnel has to filter out everything that doesn't match the individual organization's requirements. Otherwise, the output will be filled with low-level indicators that may or may not be useful at detecting and containing issues.
Holland left Forrester to join Digital Shadows to help shape the company's strategy and product road map because he liked the focus on providing customized and relevant threat intelligence for each organization. Analysts create tags based on the organization's intellectual property and unique aspects of their environment, and they scour the difference sources for information that matches the organization.
"The first piece of threat intelligence is getting the funnel to give better data, to enrich what you are getting," Holland said.
The second is figuring out how to use the information being provided -- which is where APIs come in.
Organizations have internal data collected from different sources, and they should be part of overall threat intelligence efforts. But to do so, the enterprise typically needs to invest in software developers to integrate actionable intelligence into existing systems. Some of the largest enterprises may have in-house developers capable of putting together the required custom code to get that level of customization, but this is out of reach for most enterprises, Holland said. The fact that more and more threat intelligence providers are offering APIs is an encouraging trend in the market.
Digital Shadows publishes public APIs that let developers build on the platform and integrate it with their other systems. "Digital Shadows makes the intelligence actionable by easily integrating it into an organization's security program," he said.
There is currently a move away from vendor lock-in, so the ability to play with others becomes a key component of any security strategy.
"Across the entire threat intelligence ecosystem, we need better APIs," Holland said. Nearly every threat intelligence provider nowadays offer APIs, but there are limits on what aspects of the platform or data feed is accessible. Some do not make the API public or offer a SDK to help developers expand the capabilities.
Threat intelligence is supposed to help answer the question, "I don't know about this -- what do you know about it?" But for most organizations, threat intelligence efforts wind up as a "denial-of-service attack against security controls," Holland said. Administrators and security teams are inundated with alerts and information from different sources, making it difficult to understand risks and act appropriately.
Threat intel doesn't need to be a marketing buzzword or a failed promise. It can help security teams align indicators with existing security investments to make good decisions about overall security.