The questionable quality of most threat intelligence data is an open secret within the cyber threat intelligence industry.
Security teams are tasked with ingesting and analyzing domain, IP and website data that’s been collected from numerous disparate sources, and forced through multiple aggregation layers without a concerted effort along the way to arrange it in the form of actionable intelligence.
For CISOs, attempting to pin down the ROI of an unquantifiable and subjective element of their security operation can be a daunting task. Feed data is inherently difficult to evaluate, and it’s often impossible to establish precisely where intelligence data has originated from. It’s no wonder that 46% of CISOs do not regularly read threat intelligence reports, when most of their intelligence data isn’t easily operationalized and their teams are starting on the back foot.
Summary
In this blog, we’ll explain why ‘data independence’ – the concept of a threat intelligence provider collecting and owning 100% of their own data – is set to change the way organizations perceive and use cyber threat intelligence by affecting a paradigm shift in intelligence methodologies from reactive to proactive, and some of the inherent problems seen in current methods of distributing and using intelligence data.
Issues with legacy threat intelligence
Most threat intelligence platforms are content with relying on public IOCs, OSINT data, crowdsourced intelligence and passive DNS sensors to gather intelligence – only a smattering of which is collected in realtime to produce actionable intelligence, if at all.
This approach leads to numerous problems.
There’s often significant overlap across data streams, with a considerable amount of false positives for SOC teams to sift through. Operational efficiency is also affected. Data drawn from multiple sources that isn’t designed to work together is inherently slower to search across, and lacks a unifying set of characteristics that allow teams to organize it quickly and efficiently into pre-arranged searchable spaces, to combat specific attack vectors.
The number one barrier to achieving data independence is the sheer amount of effort it takes from a standing start. Building an all-encompassing collection, aggregation and enrichment engine from scratch, with zero precedent, and delivering it at scale to produce timely, accurate and complete intelligence is no mean feat. It takes a great deal of ingenuity and innovation, and a hell of a lot of work.
Data independence as a threat intelligence solution
Silent Push is on a mission to defragment organizational security operations by providing our customers with first-party threat intelligence data that’s collected, clustered, scored and delivered without third-party intervention, and with specific use cases in mind.
We provide timely, accurate and complete cyber threat intelligence datasets that allow security teams to track emerging TTPs and pre-weaponized infrastructure. Threat actors assemble their infrastructure using a series of traceable patterns. Owning and controlling our own data allows us to add an infinite amount of context to each observable that we collect, and where there are patterns to be found, make those links across the global IPv4 space to produce actionable intelligence.
There’s no rigidity to worry about. We’re not beholden to third-party collection and storage methods. We pass the data through to our console and API as a searchable space designed to output Indicators of Future Attack (IOFA) – a global early warning system that promotes situational awareness amongst the C-Suite, and directs security teams to where an attack is coming from, not where it’s been.
Let’s take a look at some of the problems with legacy threat intelligence, and how data independence can help to solve them:
Multiple tools required to extract any kind of value
Silent Push is a self-contained and self-reliant threat hunting and threat intelligence platform. Our UI and API is designed with our data in mind, and caters to a range of use cases. Ingesting and analyzing first-party data at source is inherently more resource and cost efficient.
Data is collected at specific points in time
OSINT data dumps and legacy IOCs are inflexible and mostly relevant to a single point in time. Silent Push data collection features far lower intervals, allowing teams to respond to emerging threats as they develop. This enables teams to prioritize the most dangerous threat types and focus their efforts on attack vectors that are unique to their organization.
Data isn’t easily arranged based on threat type
Threat intelligence that’s gathered from multiple disconnected sources needs a lot of work before it can be considered actionable. First-party data is automatically sorted into searchable, self-contained, threat-specific spaces that require minimal intervention.
The myth that more data equals a more efficient threat intelligence posture
Data independence is less about volume, and more about creating and controlling the relationship between billions of disparate domains, IPs, DNS records and content hashes. This is impossible to achieve unless ownership resides within the platform itself, and categorization is considered alongside delivery.
Lack of provenance = a lack of trust
If SOC teams and security analysts aren’t entirely sure of where data has originated from, this makes it inherently less trustworthy, regardless of the reputation of the platform or vendor that’s delivering it – especially true for OSINT and crowdsourced intelligence. Increased trust derived from first-party data gives teams more peace of mind.
Multiple aggregation layers
Legacy threat intelligence often passes through multiple platforms and aggregation layers before it’s presented to the end user for ingestion and analysis. Silent Push’s first-party data is original, unadulterated and categorized in real-time.
Mass data streams are not outcome focused
First-party data is agile, allowing us to innovate and counteract emerging TTPs with new categorizations, and with a higher degree of accuracy. All too often, legacy intelligence hampers a security team’s ability to generate meaningful insights quickly and with a high degree of accuracy.
Get in touch
Silent Push Community Edition is a free threat hunting and cyber defense platform that features a huge range of advanced offensive and defensive lookups, web content queries, and enriched data types.
Silent Push Enterprise exposes Indicators of Future Attack (IoFA) by applying unique behavioral fingerprints to attacker activity and searching our dataset. Security teams can identify impending attacks, rather than relying upon out of date IOCs delivered by legacy cyber threat intelligence platforms.