Threat intelligence is a vital part of cybersecurity. It gives defenders the information they need to prepare for and guard against potential attackers, mitigating the risks of intrusions and data loss. Real-time feeds of threat data can even help organizations thwart zero-day threats that would otherwise slip past network and endpoint protections.
However, threat intelligence's maximum potential can best be realized when it is shared with other defensive tools that can use the threat data to orchestrate broad-based organizational responses to security incidents.
One of the most efficient ways to achieve that potential is to implement a threat-intelligence program as part of a larger consolidated security platform, whose various tools and defensive methods are designed to automatically communicate information among themselves.
The smooth coordination of different components is one of the top benefits of implementing such a platform, and the integration of threat intelligence one of the top reasons for such a platform to exist.
Meanwhile, the addition of AI to consolidated platforms is a force multiplier for threat intelligence. The AI can detect, analyze and respond to threats more quickly than a human defender and even make recommendations for both short-term and long-term remediation.
"At the end of the day, your security is only as effective as the intelligence that powers it," says Aviv Abramovich, Head of Security Services Product Management at Check Point.
The value of threat intelligence
Cybersecurity began as a defensive measure against active threats, but threat intelligence is part of a later phase that developed to proactively mitigate potential attacks — to head off the enemies at the pass, as it were.
Information is power, as the saying goes, and the information gained from threat intelligence leads to better decisions about cybersecurity. If you know what the biggest threat actors are after, how they operate and which tools they use — their tactics, techniques and procedures (TTPs), in industry parlance — you have a much better chance of successfully repelling their attacks. Even patching against new exploited vulnerabilities is using threat intelligence.
However, threat intelligence isn't just threat data. Threat data feeds are the raw material, but the intelligence results from filtering and analysis of that data (which itself requires contextual knowledge), and then the distribution of the conclusions and recommendations reached from the analysis.
Threat intelligence also needs to be evidence-based, useful and actionable. Otherwise, it's just conjecture; threat data that cannot be acted upon is mostly useless.
Threat intelligence is also best when it's shared. That's why the major cybersecurity firms share such information even as they compete for customers.
Some good examples of low-level threat intelligence are the malware-definition "signature" updates that enterprise endpoint defenses and consumer antivirus programs rely upon to stay even with attackers. These signature updates are generated by cybersecurity firms that analyze reams of threat data to discover and catalogue the latest forms of malware, then distribute updates to their clients several times a day.
These endpoint-protection and antivirus providers could keep new information to themselves to gain short-term competitive advantage. Few if any do. Instead, they share the latest malware and threat information so that they can mount a common defense.
Signature updates work best against known malware whose binaries can be catalogued as unique hashes, but very good threat intelligence that operates as a continuous immediate feed can also protect against previously unseen zero-day attacks for which there is no signature, as Check Point Product Marketing Manager Dave Gronner explains.
"The most critical place where you see [the need for threat intelligence] is in the case of zero-days," Gronner says. "The zero-day-type attack is the one you need to not only detect, but block and alert every other control point within seconds. Not a day later, not two days later, not three days later. That's where you're in real-time."
Furthermore, such a rapid reaction is only possible with a high degree of automation in which threat intelligence feeds into a system that can orchestrate different tools to mount a defense across the organization.
As Gronner adds, "real-time threat intelligence implies you're using some algorithm, whether it's AI or whatnot, to inform your network immediately."
Automated sharing of threat intelligence
Many organizations successfully use security orchestration and automated response (SOAR) systems and threat intelligence to coordinate broad responses among disparate tools. Automation in general can help you sort through reams of data and telemetry to spot threat patterns and indicators of compromise.
"If my network security sandboxes a malicious file, and now it knows that's malicious, it needs to tell all the other things, whether they're endpoint or cloud, 'If you see this file, no, it's malicious, don't touch it, block it, drop it, erase it,'" explains Abramovich.
However, there's always a bit of difficulty getting tools from different vendors to play nicely together and feed their idiosyncratically formatted data into a shared interface. And you need that shared interface so that your security-operations team doesn't go crazy looking at multiple screens and following up on endless alerts.
Using a consolidated security platform that shares a single set of APIs and interfaces allows for smoother and more rapid sharing of data without any translation delays or errors, Abramovich points out.
"Having the same security intelligence being streamed to all the different decision points, the various decision points in your platform, is very important," he says.
"If your network device knows that a file is malicious, why would you want to allow it on your endpoint? Why would you not let your endpoint also know that it's malicious?" Abramovich asks. "The sharing and the collaboration of the intelligence is really a key [aspect] of the platform."
In a consolidated platform, threat intelligence doesn't flow just one way but propagates throughout the entire platform to ensure a more robust defense.
"One of our huge advantages, because all we do is security, is making sure that the threat intelligence in both directions is fed to a complete array of Check Point control points, not just firewalls," says Gronner.
When AI is brought to bear upon threat intelligence
The real power boost to the usefulness of threat intelligence comes when AI gets involved. Check Point and other vendors are already building AI assistants into their consolidated security platforms, as Abramovich explains.
"You can actually write to it in human language — give it a task or ask it questions like, 'Am I protected against this new threat that I read about in the newspaper yesterday?'" he says. "It will tell you, 'Yes, you're protected.'"
But when AI is directly applied to threat intelligence, it can spot patterns and new threats more quickly than any human, orchestrate a response more thoroughly than a regular SOAR system, and make suggestions based upon what it learns — and continues to learn.
"What AI is doing is generating its own intelligence from the intelligence already that exists," says Abramovich. "The importance of AI is using AI to create more intelligence to help you do things better."
If the AI continues to receive verifiable, useful threat intelligence — and human oversight may be needed to ensure that — the AI's threat-detection-and-response abilities should only improve. A consolidated security platform will provide the maximum efficiency of threat-intelligence analysis and AI-powered response coordination.
"Ultimately, you make security decisions based on the intelligence that you have," says Abramovich. "The better and more rich and more deep your intelligence is, the better your security decisions will be."
