At Starbucks, we often hear orders like this: "Give me a medium cup of soy milk vanilla cappuccino, half*, super hot." We probably order this ourselves. The fact is, we've become accustomed to having things done our way, and that reflects in the little thing of coffee, where the barista is responsible for making sure our expectations are met.
The technology world is similar, but instead of satisfying personal taste with caramel or vanilla syrup, technology and products are chosen based on experience, familiarity, and personal preference. In the commercial world, customization is more complex as we need to tailor it to parameters such as brand preference, specific team experience and expertise, operating environment, processes and workflows, as well as specific existing enterprise infrastructure that must be supported. This demand for customization can be called the "Starbucks effect", which is oscillating throughout the IT industry, affecting hardware, software, services and the like.
A typical example is that there is no universal security. This can be seen from the development history of the infrastructure and defense layers. For years, companies have chosen from an ever-expanding range of end products to address the latest threats or meet business needs. Every company's needs are different, and the resulting security infrastructure will also be different.
The same situation is reflected in threat intelligence. Not all threat data is equally important, and some data is relevant to your own company but not important to other companies. Additionally, the ways in which threat intelligence is leveraged will vary based on infrastructure and personnel. For example, large enterprises with sufficient manpower have the resources to track threat data (e.g., downstream IP addresses, domain name registrants, etc.) at two or even three degrees of separation. Companies without such resources must track selectively, investigating only threats that are currently active, target their industry, or are related to known adversaries.
Building a comprehensive threat intelligence project usually starts with selecting various threat data feed sources to subscribe to. There can be commercial sources, open source, industry sources, or you can incorporate threat data sources from existing security vendors and integrate the data Integrated into central repository. You then need to equip each end product within your defense layer and SIEM with a channel to communicate with this central repository so that you can combine global threat data with the vast amounts of log and time data generated by these solutions.
Abundant data is certainly a good thing, but it also contains a lot of noise. Some threat data feeds and security vendors try to help cut through the noise by publishing threat scores. However, these ratings are universal. What you really want is a rating that's relevant to your environment. Just like a coffee order, only you know what you like and need. You need to be able to customize threat scores and sort threat intelligence based on threat indicator sources, types, attributes and context, as well as adversary attributes, so that you can filter out the real noise.
Customized threat intelligence itself is not enough, you must also have the ability to use threat intelligence in a personalized way. This requires solutions that can communicate in both directions - not only receiving data from internal systems, but also sending curated threat intelligence from a central repository to all necessary tools in the environment. For example, sending threat intelligence to existing incident management or SIEM solutions allows these technologies to perform their functions more efficiently and reduce false positives. This threat intelligence can also be used to predict and prevent future attacks - automatically sending threat intelligence to layers of defense (firewalls, antivirus, IPS/IDS, web and email security, endpoint detection and response, network traffic analysis, etc.) to generate and apply updated policies and rules to mitigate risk.
With a solution that can customize the threat intelligence itself and how it is integrated, you can "order" threat intelligence. However, not every company can complete this customization process on its own.
The global cybersecurity talent shortage continues to worsen, and it is expected that there will be 2 million security job vacancies by 2019. What if you don’t have a security expert to develop or implement a threat intelligence program? A Managed Security Services Provider (MSSP) can help. MSSP will provide you with a series of options to help you easily get the services you need. They can complete the custom process for you, transform the data into actionable threat intelligence, and integrate it into your infrastructure and operations. They can also improve your overall security operations with threat intelligence relevant to your company, directly targeting those threats that matter most to you.
The Starbucks effect is very common in the IT industry, and threat intelligence is also affected by this movement. With the right technology and services, every company can obtain and prioritize relevant threat intelligence at the right time, place, and in the right way