Combatting Complexity: The Power of Threat Intelligence | GBAF

Combatting Complexity: The Power of Threat Intelligence | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Top Stories > UNFRAGMENTING SECURITY WITH THREAT INTELLIGENCE

UNFRAGMENTING SECURITY WITH THREAT INTELLIGENCE

Published by Gbaf News

Posted on May 16, 2017

11 min read

Last updated: January 13, 2026

Allianz Trade wins Global Banking & Finance Review’s Best Trade Credit Insurance Company Asia Pacific 2022

By Anthony Perridge, Regional Director, ThreatQuotient

It has often been said that complexity is the enemy of security. It is a simple statement but, nonetheless, one that holds true time and time again. The more complex your infrastructure, the more likely it is to have seams with exposed vulnerabilities. This is exactly what hackers are looking for, places where people and processes are not perfect and something is left unprotected.

In my last article I talked about how defence-in-depth and layering defences so that if one does not work, another layer is there to stop the attack. This has not always been the saviour we thought it would be. This stems from the fact that each layer of defence has been a point product; a disparate technology that has its own intelligence and works within its own silo, creating fragmentation. And, since this creates complexity, it stands to reason that to combat the enemy and improve security we need to reduce it. But how can you begin to unfragment something that is already out there in many pieces? To my mind the best way is to find the glue to put things together. This glue comes in the form of threat intelligence, integrating layers of point products within a defence-in-depth strategy to reduce it.

But this isn’t just a problem with defence-in-depth. You also see it in your external threat intelligence feeds and across the different teams involved in maintaining your security posture. Let’s take a closer look at the fragmentation that exists in these areas and how threat intelligence can help. A study by the American university, Carnegie Mellon, analysed the blacklist ecosystem over an 18-month period and found that the contents of blacklists generally do not overlap. In fact, of the 123 lists (which each included anywhere from under 1,000 to over 50 million indicators) most indicators appeared only on a single list. It’s no wonder there’s a huge data overload problem! The study goes on to say, “our results suggest that available blacklists present an incomplete and fragmented picture of the malicious infrastructure on the Internet, and practitioners should be aware of that insight.” But don’t just take their word for it; the 2015 Data Breach Investigations Report commissioned by Verizon came to a similar conclusion noting that “there is a need for companies to be able to apply their threat intelligence to their environment in smarter ways.”

In an attempt to get the best coverage as they build their threat operations, most organisations are typically forced to use multiple data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors – each in a different format. Lacking the tools and insights to automatically sift through mountains of disparate global data and aggregate it for analysis and action, the data remains fragmented, often does not have context and just becomes more noise. The path to threat intelligence begins with aggregating that external data into a threat intelligence platform (TIP).

Nevertheless a TIP needs to go further than simple aggregation. It must also operationalise and apply that intelligence as the glue to reduce fragmentation. With global data in one manageable location, it needs to be translated into a uniform format, and augmented and enriched with internal and external threat and event data. The correlation of events and associated indicators from inside your environment with external data on indicators, adversaries and their methods, allows you to gain additional and critical context in order to understand what is relevant and high-priority to your organisation. Now you’re in a position to utilise that threat data, automatically exporting and distributing key intelligence across all the different layers of defence in depth to improve security posture and reduce the window of exposure and breach.

So how can you deal with the fragmentation across teams? Well, the key here is to find a way to use that threat intelligence for better decisions and action, and this can often be a challenge in siloed organisational structures. You might have a SOC (security operations centre), a network team, an incident response (IR) team and a malware team. More often than not, they don’t even work together, let alone share information or intelligence. Forced direct communication isn’t often effective, so how do you get those teams to work together in a way that makes sense? By offering a single repository for all threat intelligence that is contextual and prioritised, you can foster much needed collaboration without them necessarily even knowing it. With the ability to add commentary and store data for longer periods of time, the repository can become a core component of their processes. As the different teams use and update this repository, there is instantaneous sharing of information across other teams, resulting in faster, more informed decisions.

Taking this a step further, by integrating that repository into other existing systems – including, but not limited to SIEM, log repositories, ticketing systems, incident response platforms, orchestration and automation tools – you will allow disparate teams to use the tools and interfaces they already know and trust and still benefit from and act on that intelligence. For example, the IR team uses forensics and case management tools. The malware team uses sandboxes, the SOC the SIEM and network team uses network monitoring tools and firewalls, and this is just the beginning. By getting consistent intelligence directly from the repository that they have been working in and updating collectively, everyone operates from a single source of truth, reducing fragmentation and complexity so they can accelerate detection and response.

I am in no doubt that complexity is the enemy of security, but this doesn’t have to mean that you are entirely helpless. The enriching of threat data from all your external and internal sources with context, relevance and prioritisation, allows threat intelligence to become the vital glue that reduces the overall fragmentation across your security environment. By reducing this complexity you can ensure that your teams can work together with their existing tools to keep your organisation safer.

By Anthony Perridge, Regional Director, ThreatQuotient

It has often been said that complexity is the enemy of security. It is a simple statement but, nonetheless, one that holds true time and time again. The more complex your infrastructure, the more likely it is to have seams with exposed vulnerabilities. This is exactly what hackers are looking for, places where people and processes are not perfect and something is left unprotected.

In my last article I talked about how defence-in-depth and layering defences so that if one does not work, another layer is there to stop the attack. This has not always been the saviour we thought it would be. This stems from the fact that each layer of defence has been a point product; a disparate technology that has its own intelligence and works within its own silo, creating fragmentation. And, since this creates complexity, it stands to reason that to combat the enemy and improve security we need to reduce it. But how can you begin to unfragment something that is already out there in many pieces? To my mind the best way is to find the glue to put things together. This glue comes in the form of threat intelligence, integrating layers of point products within a defence-in-depth strategy to reduce it.

But this isn’t just a problem with defence-in-depth. You also see it in your external threat intelligence feeds and across the different teams involved in maintaining your security posture. Let’s take a closer look at the fragmentation that exists in these areas and how threat intelligence can help. A study by the American university, Carnegie Mellon, analysed the blacklist ecosystem over an 18-month period and found that the contents of blacklists generally do not overlap. In fact, of the 123 lists (which each included anywhere from under 1,000 to over 50 million indicators) most indicators appeared only on a single list. It’s no wonder there’s a huge data overload problem! The study goes on to say, “our results suggest that available blacklists present an incomplete and fragmented picture of the malicious infrastructure on the Internet, and practitioners should be aware of that insight.” But don’t just take their word for it; the 2015 Data Breach Investigations Report commissioned by Verizon came to a similar conclusion noting that “there is a need for companies to be able to apply their threat intelligence to their environment in smarter ways.”

In an attempt to get the best coverage as they build their threat operations, most organisations are typically forced to use multiple data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors – each in a different format. Lacking the tools and insights to automatically sift through mountains of disparate global data and aggregate it for analysis and action, the data remains fragmented, often does not have context and just becomes more noise. The path to threat intelligence begins with aggregating that external data into a threat intelligence platform (TIP).

Nevertheless a TIP needs to go further than simple aggregation. It must also operationalise and apply that intelligence as the glue to reduce fragmentation. With global data in one manageable location, it needs to be translated into a uniform format, and augmented and enriched with internal and external threat and event data. The correlation of events and associated indicators from inside your environment with external data on indicators, adversaries and their methods, allows you to gain additional and critical context in order to understand what is relevant and high-priority to your organisation. Now you’re in a position to utilise that threat data, automatically exporting and distributing key intelligence across all the different layers of defence in depth to improve security posture and reduce the window of exposure and breach.

So how can you deal with the fragmentation across teams? Well, the key here is to find a way to use that threat intelligence for better decisions and action, and this can often be a challenge in siloed organisational structures. You might have a SOC (security operations centre), a network team, an incident response (IR) team and a malware team. More often than not, they don’t even work together, let alone share information or intelligence. Forced direct communication isn’t often effective, so how do you get those teams to work together in a way that makes sense? By offering a single repository for all threat intelligence that is contextual and prioritised, you can foster much needed collaboration without them necessarily even knowing it. With the ability to add commentary and store data for longer periods of time, the repository can become a core component of their processes. As the different teams use and update this repository, there is instantaneous sharing of information across other teams, resulting in faster, more informed decisions.

Taking this a step further, by integrating that repository into other existing systems – including, but not limited to SIEM, log repositories, ticketing systems, incident response platforms, orchestration and automation tools – you will allow disparate teams to use the tools and interfaces they already know and trust and still benefit from and act on that intelligence. For example, the IR team uses forensics and case management tools. The malware team uses sandboxes, the SOC the SIEM and network team uses network monitoring tools and firewalls, and this is just the beginning. By getting consistent intelligence directly from the repository that they have been working in and updating collectively, everyone operates from a single source of truth, reducing fragmentation and complexity so they can accelerate detection and response.

I am in no doubt that complexity is the enemy of security, but this doesn’t have to mean that you are entirely helpless. The enriching of threat data from all your external and internal sources with context, relevance and prioritisation, allows threat intelligence to become the vital glue that reduces the overall fragmentation across your security environment. By reducing this complexity you can ensure that your teams can work together with their existing tools to keep your organisation safer.