In the past twenty years, companies have deployed more technology, processes, and people to defend its applications and systems than ever before… but when pressed, many CISOs will admit they still don’t have a firm grip on the security-related data inside their own four walls.
Enter Intelligence Fusion.
Intelligence Fusion can be defined as the convergence of cyber threat intelligence with other security data sources, including fraud and physical security data. When implemented correctly, Intelligence Fusion can speed threat investigations and lead to a more proactive security stance.
In IT-ISAC’s new Firewall Chat Podcast TruSTAR CEO Paul Kurtz sat down with Executive Director of IT-ISAC Scott Algeier about how IT-ISAC members can leverage Intelligence Fusion concepts into their security operations.
Below we’ve edited and condensed some of the live Q&A that took place. To listen to the full discussion, click here.
Scott Algeier, Executive Director of IT-ISAC: To start off, can you talk a little bit about how you define intelligence fusion?
Paul Kurtz, Co-Founder & CEO of TruSTAR: There's been an evolution over the past several years in what threat intelligence is. When you look back at the Target and Anthem hacks, there was a scramble in the security industry to acquire more external data about what might be going on in the threat environment.
Who were those bad actors? What were they doing in order to gain access to systems? Many enterprises were trying to grapple with how to bring that data to them from the perimeter.
For the past 20 years, companies have been deploying more products, tools, and capabilities to try and understand their network better, such as SIEMs, vulnerability management, or endpoint protection systems. However, all of this data was not necessarily being fused together in ways that were efficient. External data and internal data sources were siloed off from each other, and the only means of fusing that data was basically the human analyst. This created a whack-a-mole type of environment.
Scott Algeier: How are you seeing companies apply this in their security organization today?
Paul Kurtz: Companies are starting to flip their thinking. They’re realizing that if they're going to leverage external threat data effectively, they have to have their own house in order. They’re fusing using data internally and then layering in external data for added enrichment.
At the end of the day, the real advantage for members of the IT-ISAC is that now with this fusion of internal and external data, the intelligence coming into ISACs and ISAOs is richer and higher-fidelity than what we've had in the past. The evolution has been positive, at least over the past 24 months as enterprises are starting to figure out more about how do I start up, organize, normalize, infuse, intelligence. Not just threat intelligence.
Scott Algeier: What is the most overlooked source of intelligence is in the enterprise? How do you turn that into higher-fidelity intelligence?
Paul Kurtz: Great question. What we find that with a lot of companies that are running both SIEM and case management systems is that they are not taking the proper steps to fuse and enrich their data between both tools.This valuable historical threat data is not being stored in a way that allows it to be updated and ready to use on a real-time basis.
The most under-utilized data in the enterprise today is, oddly enough, the data that your company harvesting from all the tools you’re already using. Only if you can fuse and leverage all that data, and create an intelligence management function, can you really understand what's going on outside the perimeter of your four walls.
Scott Algeier: What are some of the benefits for companies who looking to fuse data streams and gain intelligence from it?
Paul Kurtz: The greatest value of fusing internal data and with external data sources is that you're creating a repository of what is happening within your enterprise over the past. In other words, once you start taking data and putting it in what we call an Enclave and correlating it, organizing it, and tagging it, can the data store build up over time and grow it's value over time. Once this is established, you can readily pull from your own data quickly and far more easily leverage it to enrich data from external sources. The main takeaway is that it takes less time to investigate an event.
Thanks for having us, IT-ISAC! To listen to the full episode of IT-ISAC’s Firewall Chat podcast with Scott Algeier and Paul Kurtz, click here.