A common utterance among information security practitioners is that there is no such thing as a secure network. After all, a combination of newly discovered vulnerabilities, human error, and business priorities mean that a persistent attacker will be able to find a way in. NTT Security recognizes this stark reality, which is why we focus our security resources on the threats that present the most risk. Threat intelligence has become a key component of the risk assessment process as well as a tool for network security personnel to gain a better understanding of what is happening on the network.
Why? Because intelligence on threat actors, their methods, typical targets, and objectives can be used at the strategic level to help organizations determine what types of attacks they may face over the long term, the potential impact of a breach, and therefore what level of security is appropriate. This may drive spending on security infrastructure and personnel as well as policy decisions.
This same intelligence can be used operationally to improve a defense-in-depth approach to security by determining what types of threats an organization may be facing week to week and preparing for them. It can provide actionable information, for example, on how new vulnerability exploits can be used in vulnerability scans and penetration tests. Firewalls can also be configured to block IP addresses that are known to be associated with botnets and other malicious activity, and personnel can be briefed on the details of the latest phishing campaigns. These will all help to raise the bar and keep attackers out of the network just a bit longer.
Meanwhile, at the tactical level, network teams can use malware and attack signatures, known hostile IP addresses, and other indicators of compromise at the tactical level to detect attacks, to determine what sort of threat they are facing, and take appropriate actions to mitigate the threat. In a reality where attackers can be expected to breach the outer perimeter of network defenses, it is essential that defenders can find and stop attackers quickly before they are able to retrieve and abuse sensitive data.
Like many organizations, NTT Security is faced with the challenge of collecting data from various open source and commercial feeds, information sharing groups, as well as our own sensors, correlating that data, and then moving it to the security systems and personnel where it can be useful. This is why we have partnered with ThreatQuotient – to help meet these needs within our Global Threat Intelligence Platform (GTIP). Its threat intelligence platform (TIP), ThreatQ, is a flexible architecture for aggregating and correlating threat data.
A key requirement to work with threat intelligence is to get the right data into the system. In our case, we are primarily leveraging high quality data that we collect from our customers through our own managed security infrastructure and sensors deployed across the NTT global network. This data is integrated into our ThreatQ platform via the built-in API. Meanwhile, we use open source and commercial feeds to fill in the gaps in our own visibility, connecting different pieces of information. ThreatQ integrates "out of the box" with a very large number of threat intelligence providers cutting down on the overhead for bringing these integrations in.
In addition to automated feeds, our Global Threat Intelligence Center (GTIC) analysts are working to keep the data in our platform accurate and relevant while working with private information sharing groups to collect high value information that is not distributed publicly. ThreatQ’s user interface allows our GTIC analysts to quickly and easily input and work with this data while also giving our managed service analysts and consultants easy access to review and act upon the data.
Besides providing data to human analysts, it is also essential that data can be sent to, and therefore used by, various systems. ThreatQ supports the industry standard STIX/TAXII protocol that allows us to push data to our customers' SIEMs, IPSs, and other network and endpoint security products and custom applications.
When we have customers with their own in-house threat intelligence capabilities, we can also push our data to their own systems, ThreatQ or otherwise. We are also integrating ThreatQ into our managed service platform via its API so that our Realtime Correlation Engine can take advantage of this data and better protect our customers.
Crucially though, a major challenge for a company deploying a TIP on the scale of NTT Security is the long list of data protection laws around the world. We will often be in situations where certain threat intelligence data has to stay within a particular country or region. The flexible architecture of ThreatQ allows us to deploy instances around the world and connect them together. By flagging sensitive data, we can limit distribution to a particular country or customer or choose to share it across all of NTT Security and with other NTT Group companies and their customers – sharpening the protection around all of our networks.