A recent paper by several European researchers at Usenix highlights one of the key issues facing cyber security practitioners today: Threat data from any given commercial data provider only shows a part of the picture despite the relatively high cost of acquiring it.
The research looked at two unnamed commercial cyber threat intelligence (CTI) providers and four unnamed free data providers. The researchers discovered that, even in cases where the CTI providers were looking at the same threat, there was very little overlap in information between them, and also between the paid and free providers. They used these findings to highlight that even top-tier threat intelligence providers are only providing a part of the picture to threat analysis teams, and questioned the value of the high-priced data.
It is true that there isn’t a “data panacea” that will give an organization total visibility into the threat landscape, even into one single threat actor. That doesn’t mean, however, that the right investments in data and analytic tools can’t be leveraged to reduce risk in an effective and cost-efficient way.
Finding the Right Data
There are a multitude of data available to CTI practitioners in any position. Often free data can provide basic information crowdsourced from attacks that happen every day all over the world. These provide an invaluable baseline resource and should play a large role in any CTI operation.
Still, other data is only available via vast and expensive networks of sensors, through human sources, or through analysts and collectors with specialized and hard-to-find skills. These data can provide critical insights and predictive information that make tasks such as threat attribution and predictive analysis possible. Unfortunately, these datasets are expensive to collect, and this fact is often reflected in the price to the analyst.
It’s easy, especially for organizations with relatively small cybersecurity budgets, to look at the facts and determine that the free data is good enough. That the added value of a more thorough, though admittedly still incomplete, picture of the threat landscape is less than the cost. Still, it’s clear that specialized premium data sources could take your company’s ability to stop threats and strategically reduce risk to the next level.
Bringing it All Together
The second argument the Usenix research presents against the use of paid data feeds is the fact that, despite their cost, the data remain incomplete. This is true. However, with the right tools, an organization’s analysts can take the disparate data, whether from free or paid sources, and create a unified picture containing all of the data available to them.
These tools can take a number of forms. Depending on how the data is brought together, the result can either be a coherent picture of how the players and the infrastructure are related, or a jumble of data littered with useless information where it is difficult or impossible for analysts to recognize and pull on the most relevant threads.
One of the most powerful data visualization tools for analysts looking for patterns from a multitude of sources is link analysis software. Not only does link analysis normalize all different types of data sources in a way that lets individual data points be compared and connected across the spectrum of information, but it also brings to light relationships in the data that would otherwise be impossible to identify. Link analysis is one of the most powerful ways to get a more complete picture from multiple sources of incomplete data.
Fortunately for your CTI team, King & Union Avalon provides an easy, cost-effective way to combine and analyze all of your data. Bring your access to any number of Avalon’s many supported data providers and collaboratively analyze it in one place. And stay tuned, because in the next few weeks we’ll have an exciting announcement about how Avalon can help give you even more control over your data sources and costs.
CTI is rapidly evolving, and a number of innovative companies are finding new ways to tap into the vast sea of data that can help keep your organization secure. While this data is dispersed and expensive to collect, we’re on a mission here at King & Union to help teams better utilize their data and get the most complete picture possible with our Avalon platform and integrations.
Let us show you how: