Lesson #3: Advanced detective analytics and threat intelligence, the winning duo
Detection technologies need the right data to be effective. Running analytics over the top of existing SIEM alerts or random data sets isn't the solution. They are still fundamentally constrained by the data set and don't materially increase the ability to detect advanced threats through these platforms. The solution lies in the use of advanced detection analytics (which focus on enhancing the accuracy and sensitivity of detection), and enriching detection with threat intelligence.
While the right threat intelligence, used well, can have outstanding results, the reverse also holds true. The threats that one organisation is exposed to will be different from those for the organisation next door. Intelligence-led advanced threat detection requires CISOs to figure out exactly what data sets and threat intelligence provide the richest sources of actionable information.
The 'operationalisation' of threat intelligence information is paramount to extracting real value from the tactical, operational and strategic perspectives, providing a meaningful approach to defence against prospective attackers.
The ultimate lesson: Cross collaboration
When you think about the Polish Bank attacks, it was found that the malicious code that was used to orchestrate the attacks was hosted on the website of the Polish Financial Supervision Authority, the government watchdog for the banking sector that is supposed to set cybersecurity standards for Polish banks.
This is typical of a vector known as a 'watering hole' attack, and shows that orchestrated and planned attacks often involve a number of different organisations. Without collaboration, these attacks take longer to detect and are harder to address in a meaningful and coordinated fashion.
If we want to build a common, coordinated and mutually supporting cyber response capability, collaboration across industry, third party bodies and government is paramount.