• Netenrich
  • /
  • ...
  • /
  • What makes intelligence “actionable” and worth your time?
Subscribe To Our Newsletter!

Stay up to date on the top trending threats as well as the top stories in Security, Networks, Cloud, IT Ops & AIOps.

What makes intelligence “actionable” and worth your time?

Learn the nuances of actionable intelligence. Prioritize the correct threats with Netenrich.

Liza Kurtz
Post by Liza Kurtz Aug 05, 2020

In a previous blog, we looked at threat and attack surface intelligence and how combining them helps you track threats and prevent attacks. We said speed, personalization, context, and “actionability” were all key, but this begs a few questions.

Like what do we mean by ‘actionable intelligence’ and who decides what makes for actionable context? Ideally, the two go hand in hand; good context brings you to the point of taking the right action faster.

John Bambenek, VP of Security Research and Intelligence at ThreatSTOP, says:

“Threat intelligence tools typically do a very superficial job in finding the threat, but analysts are craving context to make this information relevant and actionable. In order to move from ‘admiring the problem’ to actually preventing breaches, it is absolutely essential to go deeper and make that information available to analysts.”

In and of itself, finding assets at risk on the Internet is not that exciting or overly helpful. Assigning a risk score and prioritizing risks based on relevant context, however, saves you a ton of time. To be truly actionable, intelligence should get you to the point where you know what to do next, without having to go to five other sources.

In the context, pun intended, of managing your threat landscape and shrinking your external attack surface, intelligence tools should answer several questions to be considered “actionable.”

What’s really happening? Is this thing good or bad?

Crawling millions of data points on the Internet turns up lots of questions, but at the end of the day, someone still needs to do the arduous work of extrapolating. In guarding your attack surface, you need to see all the assets your adversaries can see, but someone still needs to cross-check exposure against threat intelligence to find out if any have been linked to or hijacked for nefarious activity.

In exploring indicators of compromise (IOCs), extrapolation means correlating information and perspective from several different sources, like threat feeds, articles, blogs, social media, and research, and figuring out what to do with it. Journeying beyond aggregation all the way from news through to technical indicators that show your next steps (and vice versa) typically takes hours.

To bridge the actionability gap, Netenrich’s Attack Surface Intelligence (ASI) and Knowledge NOW (KNOW) threat intelligence come together to reduce the time and effort needed to resolve risks by orders of magnitude. For example, ASI might turn up an at-risk server connected to your brand. KNOW feeds into ASI to let you see instantly if that server has been known to help deliver ransomware.

When your team and tools uncover suspicious IPs and other IOCs, the next logical step is to dig deeper. This may mean popping into your threat intelligence portal to type in the IP and get a risk score. You can do that automatically or for free using available online tools. But is the risk score in context or just taken from industry databases? Does the information quickly become operational in your workflow, or do you still need to spend significant time stitching data together to make it actionable?

KNOW blends news with intelligence to get you there faster. On one screen, tags display trending news in the context of related topics and activities and technical indicators that guide your next step. You can, for example, see immediately whether a vulnerability is related to a specific ransomware attack and whether products in your infrastructure are being directly impacted.

What matters most to us? Where should we focus first?

Exhaustive automated discovery and data dashboards can be just that: exhausting. Automation and aggregation save time, but If there are 600 domains under your brand, can you see which are the riskiest and why?

Risk prioritization needs to be subjective and personal, and machines may only take you so far. The AI-led system can provide some impact analysis, but there’s no substitute for analysts vetting reports and informing prioritization.

Integrated threat intelligence also guides prioritization. For example, if four threats are trending on a given day, you need to know which ones impact your industry, or your vendors and partners directly.

KNOW gives security professionals complete context for deciding what really matters, on one dashboard page. Deep context and actionability to get past the key checkpoint on the path to resolution: Where exactly is the problem, and how do I fix it?

Actionable intelligence and context should show which risks warrant your highest priority and immediate attention, and if possible, answer the next obvious question.

So, what do we do about it?

If a vulnerability associated with your infrastructure turns up active, which versions of which products are impacted by it? What are the patches, and where do you go to get them? What should you do to shore up risk while you’re applying them?

Actionable threat intelligence goes beyond sharing published risk scores, to add context around recent activity, known threat actors, expert perspective, and technical indicators, it’s about knowing how to address the risk head-on.

Can we do it faster? Make it easier?

Integration plays a pivotal role here. Most ASM and threat intelligence solutions feature one-way feeds – their data flows into your existing systems but not the other way around. If an alert pops up during discovery, they give you the choice of viewing it in the ASM platform or in another system such as ServiceNow. This helps streamline the process but doesn’t add much in terms of making your systems safer.

Ideally, intelligent integrations with digital cloud services and other providers should let you ingest data from your other systems into the ASM platform for faster, more personalized discovery and relevant context.

The same is true for threat and attack surface intelligence tools integration. Threat intelligence from KNOW feeds right into ASI so SecOps can take the next step right then and there by researching the most critical risks first, so they can act fast, before “the threat actors” do.

Don’t stop at dashboards

Without pointing you in the right direction, and protecting you for the long haul, intelligence merely amounts to more data that gets old or exploited before someone acts on it. Why spend the time, even if it’s free?

Before investing energy or resources in threat and attack surface intelligence, consider whether the two are integrated, and how close they can get you to the brink of action. Good intelligence shows ways to do things smarter, not just today but in your workflows, so you don’t confront the same issues over and over again.

Find it, fix it, forget it, or flow it into a plan to make security tighter and more proactive. Sign up for your free KNOW subscription or try ASI to see the difference actionability makes.

Liza Kurtz

About the Author

Liza Kurtz

Subscribe To Our Newsletter!

The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.

Thank you for subscribing!

Related Post

Jun 22 2021

Attack Surface Management during Mergers & Acquisitions

Empower your team to become more proactive and fix...

Read More
Dec 02 2020

OpsRamp Tackles Security From The Outside-In With ASI

Viswanatha Penmetsa shares practical security advi...

Read More
Nov 05 2020

Vulnerability Management: Part 3 – Attack Surface Management

Combine threat and attack surface intelligence to ...

Read More