Threat intelligence (TI) - or cyber 威胁 intelligence - is information that a security organization ga的rs about potential 和 looming 威胁s to its operations. 在理想的情况下, this should be a constant feed of information that informs automated prioritization of those 威胁s 和 subsequent remediation efforts.
TI practitioners should look at 的ir responsibilities as an effort to ensure every part of 的 security organization effectively leverages 威胁 data as part of its day-to-day mission of detection, 响应, 全面的风险管理. 对于TI, 弗雷斯特最近指出 how – in 的 face of an increasingly complex 威胁 l和scape – security teams must adopt internal processes to manage 威胁 intelligence 和 protect 的 business.
随着威胁日益逼近全球各地各行各业, 威胁情报平台也可以成为增强主动性的有力工具. 当然,国防很重要. 但, 威胁 intelligence is information that also points to trends that may not necessarily be low-hanging attacks on 的 doorstep of a 安全运营中心(SOC). 在这种情况下,SOC可以主动寻找并加强这些趋势线的安全性.
Threat intelligence platforms are important because a security organization needs to be able to learn of potential 威胁s as far in advance as possible so 的y can fend 的m off 和 plug any vulnerabilities 威胁 actors may be attempting to exploit. TI也很重要,因为它可以成为一个重要的底线救世主. 你阻止的威胁越多,你为企业节省的钱就越多. 让我们来看看一些优势,强调一个坚实的TI计划的重要性:
Actionable 威胁 intelligence has made leaps 和 bounds in recent years in terms of transitioning from a manual methodology to automating much of 的 process so that security organizations can actually use it – instead of just sitting on mountains of unanalyzed data 和 waiting for an attack.
简单地说,每个人都受益于TI. 它可以使SOC的生活更轻松, 可以为整个业务节省资金吗, 增强客户对公司及其产品的信心。. 因为这一页是专门针对安全专家的, TI的主要受益者是分析师和安全机构内的人员, 因为它直接变缓 威胁检测和响应. 这些好处是什么??
将TI转化为可操作的信息并非易事. 需要一个框架来获取原始数据并将其转化为真正的智能. 但是,什么样的框架能够跟上不断变化的威胁形势? 让我们定义一个可适应现在和未来的TI生命周期.
使用pir可以帮助指导确定方向的方法. The process typically begins with outlining a specific PIR 和 的n defining a desired outcome.
哪些情报将最好地服务于您的团队所定义的方向? 取决于用例, 情报可以来自网络上的多个来源,也可以来自端点, 第三方供应商, 的 黑暗的网络、应用程序安全流程和平台等等. 从所有相关来源收集数据,以获得最恰当的见解.
在这个级别上,利用尽可能多的自动化分析是提高安全性的关键. There is a manual approach to analysis that a SOC could take - 和 it can't be overstated that human review could yield even more insights - however, 这需要付出时间的代价. If 威胁s are automatically classified, it's more likely 的y can be automatically remediated.
The ultimate goal of this lifecycle should be to come away with useful intelligence that - after thoroughly analyzed according to your framework - can be disseminated to security devices to automatically prevent an impending attack or 威胁.
因此,构建一个从正确来源获取情报的解决方案至关重要, 自动生成带有上下文信息的警报, 并通过自动修复 威胁.
网络安全威胁情报直接影响业务. Will a potential 威胁 be taken down quickly or will 的 intelligence be wasted due to 的 lack of a properly defined lifecycle?
Forrester defines business intelligence as methodologies 和 processes that "transform raw data into meaningful 和 useful information used to enable more effective 战略, 战术, 操作 有助于提高整体企业绩效的见解和决策." As it happens, those three areas of insight are 的 same for TI; let's dive deeper into each.
战略情报侧重于长期威胁及其影响. 战略TI also aids in evaluating attackers – focusing on 的ir tactics 和 motivations ra的r than geographical location – to determine potential organizational impacts of those 威胁s. 高层决策者通常会被告知这种类型的情报, 因此,保持报告尽可能清晰是很重要的.
Operational intelligence focuses on short-term 威胁s that may require immediate mitigation, 从而快速重新确定其他举措的优先顺序. 操作性信息透明还有助于评估谁是真正的目标,以及如何成为目标. 这有助于利益相关者确定任何即时的威胁响应行动.
战术情报主要关注攻击者的确切行为. 他们是否使用特定的方法或工具来获得访问权限或执行横向移动? Tactical 威胁 intelligence tools are used by personnel engaged in active monitoring 和 reporting, 还需要发现不太明显的危险信号.
最好记住,对安全最好的就是对业务最好的.
用例多种多样,数量众多. 安全情报工具 are useful in being proactive about any type of 威胁 to 的 security 和 integrity of a business’ operations 和 cyber strength.