Member Article

What do Threat Intelligence and Music Have in Common? More than you Might Think

By Anthony Perridge, Regional Director, ThreatQuotient

I really enjoy watching live music and every time I do I think how great it must be to play in a band. You look totally cool and it looks so easy on stage but I’m sure it must be a challenge, not just learning how to play each song correctly on your own, but then playing together and having it sound amazing. Think about it.

Each instrument is supposed to add beauty to the music. But when all the band members come together with different music sheets, from different sources, using different rhythms and interpreted differently you can bet it sounds more like noise when they start playing all at the same time. That’s where a strong band leader really makes the difference – setting a clear direction and making decisions so that the entire band can efficiently and effectively come together to create beautiful music with a unique sound.

Given my cybersecurity profession and my musical hobby, it struck me that there are a lot of similarities between threat intelligence and the music world. Threat intelligence is made up of multiple, aggregated threat data points (individual music notes and sheets of music) turned into relevant intelligence (a music track) for your organisation. This music track should be unique, representing how you build and consume threat intelligence so that you can combat threats that matter most to your organisation in a holistic and synchronised way.

It sounds straightforward, but creating your own music track is challenging. Much like musicians with their own sheets of music, your security teams are organised in silos (the Computer Security Incident Response Team (CSIRT), Security Operations Centre, Risk Management, Vulnerability Management, Endpoint, Perimeter teams, etc.). Further, each of these teams relies on specific threat feeds based on their needs. Sending threat intelligence from these different feeds directly to your playbook or to your sensor grid (firewalls, IPS/IDS, routers, web and email security, endpoint, etc.) can backfire. Without first aggregating, applying context and prioritising intelligence, instead of beautiful music, you get noise and false positives. You need the equivalent of a band leader to work efficiently and effectively and to derive the most value from all the different threat feeds most organisations subscribe to – commercial sources, open source, industry and existing security vendors.

Acting as the band leader, a threat intelligence platform is designed to aggregate the music notes from all available external and internal sources, ingest all possible music sheets in any format and rhythm, and then turn these raw notes into one unique music track to be played by the entire band. A threat intelligence platform augments and enriches this threat data with context for greater understanding of the who, what, when, how and why of a threat to determine relevance. Customised scoring allows you to prioritise so that you can focus on the right threat intelligence at the right time, creating your own arrangements if you will. Since, as we know, every company is different; they have their own unique music and sound.

Now you’re in a position to deploy the right intelligence to the right tools. Because the band leader has laid the proper groundwork, you can ensure that all musicians receive, in real time, the specific music sheet they need (SIEM, IR ticketing, web proxy, endpoint detection and response, etc.) so that they can, in concert, update policies and rules to mitigate risk.

But no band can afford to get stale and neither can your threat intelligence. As relevant threats are a moving target modified daily by your own threat detection and feedback, a threat intelligence platform allows your music track to dynamically evolve. It embraces inspiration, incorporating new data, context and learnings so you can continue to hone your performance through continuous threat assessment.

Much like a band leader does for a band, with a threat intelligence platform your band made up of security, threat intelligence and IR analysts can play harmonious music, consistently and efficiently. You have to admit, it’s surprising how much threat intelligence and music have in common.

This was posted in Bdaily's Members' News section by Anthony Perridge .