What's the role of threat intelligence in the modern security architecture?
Gathering and using threat intelligence is critical in any modern security architecture as without it, it is impossible to keep pace with new, emerging malware and threats. For example, our 2014 Security Report found that on average, a new, unknown malware variant is being downloaded to company networks every 27 minutes, while a new bot infects a network every 24 hours. These new variants are able to bypass detection by conventional anti-malware defenses, so it’s critical that an organization has access to intelligence on new, emerging malware if it is to defend itself. The faster information can be gathered on the methods cyber-criminals are using, the quicker an organization can be prepared to counter the threat and the more robust the protection will be.
The challenge that the internet security industry faces is ensuring threat intelligence is not only gathered but also shared in real-time. Many third-party security firms have excellent intelligence on new attacks vectors and malware variants. However availability of this intelligence is often fragmented.
Any delay in collating and sharing information makes acquiring broad intelligence on cyber attacks, especially targeted campaigns, almost impossible for even the largest players in the security industry presenting an opportunity for cyber-criminals which really should not exist.
The role of threat intelligence in security is clearly important and is something that the industry as a whole has successfully deployed for some time. However that intelligence is far more useful in improving security when it is shared and security vendors can develop solutions that address the whole problem – not just part of it.
In answer to your question then threat intelligence is key in modern security architecture – in terms of identifying the problem, sharing that intelligence is critical in addressing it.
How can threat intelligence help identify sophisticated malware attacks?
The key role it plays is in helping organizations to identify new malware much faster than is possible with conventional anti-malware techniques, to prevent it spreading and mitigate damage.
For example, many organizations are using sandboxing or threat emulation techniques to identify new, unknown malware variants and stop them either in the cloud, or on a gateway. Once this new malware threat has been quarantined and ‘fingerprinted’ by the sandboxing process, this data can be shared to help prevent wider infections.
This collaborative approach closes the time window between the discovery of a new attack and the ability to defend against it. Details of the threat (including key descriptors such as the IP address, URL or DNS) can be uploaded to the cloud and automatically shared with other organizations worldwide. So if a company in Hong Kong is being targeted by a new malware variant that is identified by threat emulation, the new threat’s signature can be added to a real-time intelligence stream and distributed to other organizations globally in minutes. By vaccinating organizations against the attack before the infection can spread, this reduces the chances of an outbreak becoming an epidemic.