Businesses are sourcing more cyber security threat intelligence more frequently as they fight to keep up with changes in the cyber security threat landscape.
Fully 11 per cent of companies involved in the latest Ponemon Institute Global Study on Exchanging Cyber Threat Intelligence said they are sourcing threat-intelligence information in real time or near real time. And 13 per cent said they are updating their threat-intelligence data hourly, while 17 per cent are doing so daily.
The proportion of companies waiting for weekly or monthly updates has dropped steadily over the last four studies – from 29 per cent and 11 per cent respectively in 2014, to 20 per cent and 8 per cent this year.
The reflects a growing maturity in the type, volume and relevance of threat-intelligence available from security research firms – which are working around the clock to better understand new vulnerabilities, develop remediation strategies and trace the exploitation of data.
Such activities used to be conducted in proprietary research centres for competitive advantage. But with cybercriminal attacks surging, vendors have switched tactics to actively contribute to the global body of knowledge around security compromises.
Kaspersky, for example, has invested heavily in its OpenTip threat-intelligence service and offers customers constantly-updated threat data feeds that contain information about dangerous IP addresses, URLs, hashes of concern and other new threats as they emerge.
By tapping these threat feeds, customers can keep their security information and event management (SIEM) tools updated with information about the latest threats as they’re discovered by worldwide security research teams at Kaspersky and other security research centres.
Targeted versions are curated with a focus on advanced persistent threats (APTs), attacks targeted at financial institutions, and industrial control system (ICS) vulnerabilities. Related tools provide threat lookup services, SIEM integration, and a Cloud Sandbox that can be used to analyse new malware threats.
Sources of the truth
Centralising the security output of Kaspersky’s team – which includes more than 4,000 security specialists throughout Australia and almost 200 other countries – has been crucial to productising its expansive research work for the benefit of the cybersecurity community.
“Years of expertise in detecting, analysing and remediating changing cybersecurity threats has given us a deep body of threat-intelligence data that can help companies of all sizes better defend themselves,” said Margrith Appleby, general manager at Kaspersky ANZ.
“By making this data available as widely and as easily as possible, we can help turn the insight of our security researchers into actionable information to help companies defend themselves against the cybercriminal onslaught.”
Greater industry co-operation has significantly improved the value of the threat intelligence companies receive – particularly last year, amidst universal recognition that the COVID-19 pandemic was being exploited by cybercriminals.
Fully 48 per cent of Ponemon respondents said their threat intelligence was accurate during 2020, up from 35 per cent in the previous survey.
And 43 per cent said the threat intelligence they received last year was actionable – up from 31 per cent the year before.
Only 47 per cent said they are effectively leveraging threat intelligence to improve cyber defences, while just 33 per cent are effectively using actionable threat intelligence from external sources to predict malicious activities.
Amidst acceleration of cybercriminal attacks in recent years, staying ahead of the criminals increasingly requires data to be refreshed more-frequently – 23 per cent of Ponemon respondents said that threat intelligence becomes ‘stale’ within seconds.
Kaspersky has also been tackling these issues by combining data operations from around the world into a single Transparency Center in Zurich, Switzerland. It wrapped up the Australian and New Zealand part of this work late last year.
Data about threats detected by Australian and other regional users is stored in the Swiss facility, supporting Kaspersky’s global threat-intelligence activities and allowing customers to openly inspect the company’s security source code, threat-intelligence methodologies and other operational capabilities.
Kaspersky has subsequently opened similar sites in Madrid, Kuala Lumpur and São Paulo and will this year open a North American facility in New Brunswick, Canada. This is providing regional concentration of threat-intelligence data that will, Appleby said, bolster confidence in the accuracy and transparency of its threat data.
“Ultimately, better transparency on Kaspersky’s part will result in better threat intelligence for enterprises around the world,” she explained.
“As a key way of helping companies defend themselves better, open sharing of threat intelligence has become critical in a security community that is committed to helping companies of all sizes defend themselves better than ever.”
To learn more about Kaspersky Threat Intelligence, click here.