Seven Cyber Security Courses in Orlando - Oct. 28-Nov. 2. Save $200 thru 9/25.

SANS Security Insights

Application Threat Intelligence: What Do CISOs Need?

Mike Convertino, CISO, F5 Networks

When it comes to risk, the applications our users depend on are a big concern. In F5's 2016 State of Application Security survey , most respondents cited security around applications as an area of great concern. It makes sense; applications are where we store our valuable data. When they go down, we can't work.

We know applications are essential to business, but they are also hard to nail down. The same survey reported that the average organization has 1,175 applications. That is a lot of applications to keep track of, and most respondents said they were not confident they knew where all their apps were.

Even if you don't have Internet-facing services, the threat to application availability of a DDoS attack is something you need to consider. How do you keep an eye on DDoS attacks? It's difficult since on the Internet, every attack is always a surprise attack. There are a multitude of invisible enemies with the capability to attack instantly and then vanish. To inform our risk analyses, CISOs need up-to-date and relevant intelligence on these threats.

So, how do you get threat intelligence? Certainly, there are plenty of threat feeds to purchase and they are wonderful resources. But, the first and most important bit of information you need to better defend your networks you already have. The basic truth is that most intrusions are based on known vulnerabilities.

Your vulnerability management team will manage vendor patches for all critical applications. Having intelligence feeds that tell you what exploits are currently active in your business vertical and what vulnerabilities they exploit can help you to prioritize what to patch first.

More than half of survey respondents cited lack of visibility into their applications as a problem that impedes security. A big factor is external dependencies in the application, which is something where you can seek out additional intelligence. For example, when DynDNS was a victim of a massive DDoS attack in late 2016, nearly 70 other major services went down because they hosted their DNS on Dyn. Another example works in the opposite direction: many SaaS applications require organizational credentials for authentication. Gathering intelligence on what is happening with your internal credentials is something you definitely want to do. Anywhere an application goes outside of your organizational control is a place you should watch.

Some of the timeliest threat intelligence come from outside your organization. What new attacks against applications are emerging? What new industry sectors are being targeted? What specific SaaS services are falling under siege? What kinds of infrastructure or technologies have been found to have serious vulnerabilities? There is a lot of threat intelligence out there, perhaps too much for a CISO to manage. Yet, by adopting a risk-centric approach, knowing your critical applications, and studying their major components, you can more easily fill in the blanks with that outside threat intelligence to give you a clearer, more complete picture.

Post a Comment


* Indicates a required field.