Sharing Threat Intelligence Among Best-Of-Breed Security Tools

You've assembled a powerful array of best-of-breed cybersecurity tools from multiple vendors—including the very best firewall, email gateway and web controls. But if they're not sharing threat intelligence, you may still be vulnerable.

That’s because attackers mount coordinated attacks through multiple channels. When each of your defensive tools acts in isolation, it may be ignorant of the threats that have already been detected in another channel.

It's as if you had a cadre of mighty warriors guarding your company headquarters, but they don't talk with one another. So while one warrior is bravely fending off attackers, his equally courageous comrades are completely unaware of the threat—which is about to attack them as well. 

In cybersecurity, that's often been the case. But now, there’s a growing trend to get those best-of-breed tools talking to each other, using Application Programming Interfaces (APIs) to share threat intelligence. "Sharing threat intel allows users to better protect themselves through an integrated security architecture," says Jules Martin, Mimecast VP business development. "And that allows for a deeper level of detection by covering multiple entry points. It makes sure the business is not exposed." 

Sharing threat intelligence among security tools also improves Mean Time To Respond (MTTR) to attacks. "You can detect, protect and respond quicker and better. That's what an integrated architecture can deliver," Martin says. 

Attackers Only Need to Find One Vulnerability

APIs allow disparate, best-of-breed security tools to share threat intelligence and indicators of compromise (IoC) with each other as a unified suite. That’s vital because attackers often use  multiple tactics to gain entry to an organization. They might start with a "man-in-the-middle attack." For example, an attacker might set up a fake Internet storefront and use a targeted phishing email to lure a user to enter their credentials into that storefront. From there, the attacker uses those stolen credentials to break into your network. The attacker might also send infected email attachments, or email links that download a keylogger and spyware. They even might try to tempt users to plug an infected USB storage device into their PC.

An attacker only needs one of those methods to succeed. "They're not looking to break down the walls to the fortress. They're simply looking for an open window," says Martin. 

Protecting against all those attacks requires that multiple security tools share threat intelligence to protect all the potential entry points, including email, the web, and USB storage devices. They need to exchange threat intelligence bilaterally, so that the information is shared among all the organization’s security tools.

The integrated approach just makes sense, Martin says. Most threats arrive via email or the web, which are the two primary channels used for business communications. "If you see a threat at the gateway, why wouldn't you want to spread information on that threat down the chain?"

Ideally, all the security tools in the organization should be notified when a threat materializes through any channel. Some of the key products requiring integrated threat intelligence through APIs include the Security Incident Event Monitor (SIEM), which watches for security incidents around the network; the Security Orchestration and Response (SOAR) system, which acts on detected security incidents; and endpoint security services that monitor laptops and other devices on the edge of the network. 

Additionally, even some services that would not usually be considered as part of the security suite need to connect to threat intel APIs. That includes IT Service Management (ITSM) systems, which open the tickets required for changing network and system configuration, often needed to remediate the attack. 

Shared Threat Intelligence Makes Fast Work

The integrated approach to threat intelligence is gaining popularity, particularly in the US. Other nations, including the UK, Europe, Australia and South Africa, are also seeing the need. "The rest of the world is waking up to this integrated approach," Martin says.

Besides improving organizations’ ability to prevent and respond to attacks, sharing threat intelligence using APIs can also streamline administrative work for cybersecurity teams. "There's a huge skills shortage in the market, and shared threat intelligence helps address the shortage by cutting down on administrative time," Martin says. Some companies are juggling as many as 75 different consoles to log in and manage different security platforms, for example. “Organizations are looking at solutions in isolation and saying, 'This is really time-consuming. This is very heavy from an administrative perspective."

"The business is better protected by an integrated approach," Martin says. "You can automate a lot of these repetitive tasks. And you can reduce the amount of administrative time by automation and threat sharing."

To enable this kind of threat intelligence coordination, vendors need to provide a range of APIs for interfacing with different security tools. APIs should be open, so software developers can build complementary security tools simply by implementing public APIs available on the web. 

Organizations of all sizes should ask their vendors about their API strategy for enabling integration with other tools. Small businesses, which generally have smaller security teams, will generally look to off-the-shelf integrations for sharing threat intelligence. Large enterprises, with their own expert security teams in-house, will start with off-the-shelf solutions and extensively customize them for their own particular needs, Martin says.

The Bottom Line

Cyber attackers mount coordinated, organized attacks across multiple channels. To prevent, detect and respond to those attacks, security tools also need to cooperate. By sharing threat intelligence using open APIs, security products can mount a coordinated defense, enable automated processes and help enterprises beat the security skills shortage.