Information overload: Making sense of threat intelligence
Luke McNamara, Deputy Chief Analyst, Google Threat Intelligence explains why human in the loop is critical in threat intelligence as well as how organizations can deal with the information overload they are facing from threat intelligence.
Threat intelligence is meant to enable organizations to understand the threats that are out there and be prepared to deal with these threats should they face any cybersecurity incidents. Over the years, the amount of threat intelligence generated and provided to organizations has increased.
Today, organizations can struggle with intelligence overload and could end struggling to make sense of the data that is available to them. To deal with this, AI in threat intelligence is expected to help organizations manage the intelligence they receive.
However, even with AI, organizations will still need to have a human in the loop. To understand more about this, CRN Asia caught up with Luke McNamara, Deputy Chief Analyst, Google Threat Intelligence during the recent Singapore International Cyber Week summit.
McNamara explains why human in the loop still has an important role to play in threat intelligence as well as how organizations can deal with the information overload they are facing with threat intelligence.
With AI in threat intelligence, why do we still need that human in the loop?
I think you still need the human in the loop certainly for a lot of different applications of AI to security. In threat intelligence, there's things that we can do to reverse malware faster, to draw correlations between maybe two different clusters of malware families, and see if its actually the same actor in our analysis. I think you still want a human who's going to review that final output.
Using AI to speed up that process and maybe find these linkages and connections that we wouldn't otherwise do or would take some time is incredibly important, but I think you still need a human ultimately to sort of assess the output, to make calls on certain things, especially once you get into more assessing a vulnerability in a system within our environment.
If you know there's a threat actor who's historically targeted our sector that's actively exploiting that vulnerability. Maybe you still want a human to go take that system offline and patch it, that could have some potential business disruption component to it.
You still need a human in the loop for things like that. So, I don't think that's ever going to really go away.
As a lot of vendors are providing threat intelligence to customers, are we reaching a point where there's just so much intelligence that you don't know what to do with it?
Yeah, this is a good point. I've been working in cyber threat intelligence for over 12 years. When I first started, there were a lot fewer public blogs and research, white papers about some of these campaigns that now people are very familiar with.
We've gone so far in the other direction that I think one of the challenges now for a lot of organizations is, how do they make sense of it all? Because there are so many vendors and security researchers and governments that every week are publishing new reporting.
This is a challenge for organizations to prioritize. With everything that's being published, what are the threats that matter most to them? Sifting through and reading all that takes a lot of time and effort. Not all these threats are going to be as equally relevant to every organization.
When you get into the areas around attribution, what one organization tracks as this group, another organization might report on it and use that same name, but maybe it's not quite the same group. And that naming is now being used in a different way than was originally intended. So that also kind of muddies the water a little bit.
But I think this is a big challenge for organizations. I think this larger problem of operationalization of intelligence, organizations that may have multiple Intel vendors, multiple threat feeds, and getting the full value out of them can still be tricky and challenging. Making sure all the relevant teams have access to that data and that it's being applied.
And this is where I think things like threat modelling are so important, whereas as an organization, you sit down and decide. For example, here are the threats that matter the most which then become a sort of framework by which you prioritize all the new intelligence that comes in, whether that's from external parties or even the kind of intelligence that's produced internally. So, I think threat modelling is sort of one of the ways to get around this larger issue of drowning information.
So how would organizations know what threats they should focus on?
It's a bit of a chicken and egg problem. This is where historical data is important, and this is obviously going to vary based on the organization. If they've kept logs and records for historical incidents that they've had, it's a good starting place of what are the threats they've seen in the past.
There's a lot of good that the information sharing organizations do that are sort of industry-based, like the ISACs, because you do get that more vertical or sector-focused approach of the actors that are targeting our peers. And then also sort of regional and country-specific information sharing.
So, I would say if an organization has not gone through that exercise yet of mapping and kind of building out their threat modelling, those are good places to start. Even just doing sort of asset inventory of the technologies that they utilize or the partners and vendors that we utilize. If you do that beforehand, it becomes a lot easier.
Are you seeing organizations doing this already?
It varies by organizational maturity. And it's something that can be more challenging for larger organizations. Across ASEAN and APJ, when you have very large organizations that are multinational, multi-sector, that can be challenging because trying to determine the crown jewels for the organization is hard when you have multiple lines of business. There can be a lot of different priorities. And so that is something that very large organizations can be very complex and involve a significant undertaking.
But for smaller organizations, they may also have problems with lack of maturity and the resources that are needed to kind of put towards that. Organizations that have had some time of consuming threat intelligence eventually get to a point, if they've not already done so, of creating a threat model by which they can prioritize the threats that matter most to them.
As such, how important is it in getting that message out for your customers?
It's incredibly important. I think that there's really no single organization or entity in the entirety of the world that has all of the perspective, all the visibility on all of the relevant threats at any one point. And so given that everyone has a little different pieces of the puzzle and different perspectives, I think that it's incredibly important to have intelligence and information sharing partnerships and other partnerships where we're able to increase the maturity of each other.
Cyberattacks are not constrained by national borders. Adversaries in one part of the world can launch operations or a campaign that maybe starts in Europe and then migrates to the United States or Asia Pacific. Some of the insights that organizations are responding to those first parts of the campaign might gather; those can become relevant to the rest of us.
We know the threat landscape is going to continue to evolve. And so, anything that we can do to sort of increase not just these channels for information sharing but also the capacity of organizations to find some of these threats faster themselves, helps with better information and intelligence sharing.