{"id":28889,"date":"2019-08-05T12:59:50","date_gmt":"2019-08-05T18:59:50","guid":{"rendered":"https://www.webroot.com/blog/?p=28889"},"modified":"2019-09-16T11:42:15","modified_gmt":"2019-09-16T17:42:15","slug":"context-matters-turning-data-into-threat-intelligence","status":"publish","type":"post","link":"https://www.webroot.com/blog/2019\/08\/05\/context-matters-turning-data-into-threat-intelligence\/","title":{"rendered":"Context Matters: Turning Data into Threat Intelligence"},"content":{"rendered":"\n<p>1949, 1971, 1979, 1981, 1983\nand 1991.<\/p>\n\n\n\n<p>Yes, these are numbers. You more than likely even recognize\nthem as years. However, without context you wouldn\u2019t immediately recognize them\nas years in which Sicily\u2019s Mount Etna experienced major eruptions.<\/p>\n\n\n\n<p>Data matters, but only if it\u2019s paired with enough context to\ncreate meaning.<\/p>\n\n\n\n<p>While today\u2019s conversations about threat intelligence tend to throw a ton of impressive numbers and fancy stats out there, if the discussion isn&#8217;t informed by context, numbers become noise. Context is how Webroot takes the wealth of information it gathers\u2014data from more than 67 million sources including crawlers, honeypots, as well as partner and customer endpoints\u2014and turns it into actionable, contextual threat intelligence. <\/p>\n\n\n\n<p style=\"text-align:center\"><strong><a href=\"https:\/\/www.webroot.com\/us\/en\/business\/resources\/threat-trends\/june-2019\">Read about the importance of data quality for a threat intelligence platform in our latest issue of Quarterly Threat Trends.<\/a><\/strong><\/p>\n\n\n\n<h2>What defines contextual threat intelligence?<\/h2>\n\n\n\n<p>When determining a definition of contextual threat\nintelligence, it can be helpful to focus on what it is not. It\u2019s not a simple\nlist of threats that\u2019s refreshed periodically. A list of known phishing sites\nmay be updated daily or weekly, but given that we know the average lifespan of\nan in-use phishing site to be mere hours, there\u2019s no guarantee such lists are\nup to date. <\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u201cSome threat intelligence providers pursue the low-hanging fruit of threat intelligence\u2014the cheap and easy kind,&#8221; says Webroot Sr. Product Marketing Manager Holly Spiers. &#8220;They provide a list of IP addresses that have been deemed threats, but there\u2019s no context as to why or when they were deemed a threat. You\u2019re not getting the full story.&#8221;<\/p><\/blockquote>\n\n\n\n<p>Contextual threat intelligence is that full story. It\nprovides not only a constantly updated feed of known threats, but also\nhistorical data and relationships between data objects for a fuller picture of\nthe history of a threat based on the &#8220;internet neighborhood&#8221; in which\nit&#8217;s active.<\/p>\n\n\n\n<p>Unfortunately, historical relationships are another aspect\noften missing from low-hanging threat intelligence sources. Since threat actors\nare constantly trying to evade detection, they may use a malicious URL for a\nperiod before letting it go dormant while its reputation cools down. But\nbecause it takes more effort to start from scratch, it\u2019s likely the actor will\nreturn to it before too long. <\/p>\n\n\n\n<p>\u201cOur Threat Investigator tool, a visualization demo that illustrates\nthe relationship between data objects, is able to show how an IP address\u2019s\nstatus can change over a period of time, says Spiers. \u201cWithin six months, it\nmay show signs of being a threat, and then go benign.\u201d<\/p>\n\n\n\n<h2>What are the elements of context?<\/h2>\n\n\n\n<p>Over the course of a year, millions of internet objects\nchange state from benign to malicious and back numerous times as cyber\ncriminals attempt to avoid detection. And because threats are often\ninterconnected, being able to map their relationships allows us to better\npredict whether a benign object has the potential to turn malicious. It also\nhelps us protect users from never-before-seen threats and even predict where\nfuture attacks may come from. <\/p>\n\n\n\n<p>That\u2019s where the power in prediction lies\u2014in having\ncontextual and historical data instead of looking at a static point in time.<\/p>\n\n\n\n<p>Some elements that are needed to provide a deeper\nunderstanding of an interwoven landscape include:<\/p>\n\n\n\n<ul><li><strong>Real-time\ndata from real-world sources<\/strong>, supplemented by active web crawlers and\npassive sensor networks of honeypots designed to attract threats, provide the\nnecessary data for training machine learning models to spot threats<\/li><li><strong>An ability\nto analyze relationships connecting data objects <\/strong>allows threat intelligence\nproviders to make a connections as to how a benign IP address, for example, may\nbe only one step away from a malicious URL and to predict with high confidence\nwhether the IP address will turn malicious in the future. <\/li><li><strong>Both live\nand historical data <\/strong>helps in the development of a trusted reputation score\nbased on behavior over time and common reputational influencers such as age,\npopularity, and past infections.<\/li><\/ul>\n\n\n\n<h2>Seeing the signal through the noise<\/h2>\n\n\n\n<p>Context is the way to turn terabytes of data into something\nmeaningful that prompts action. Having the power to be able to dig into the\nrelationships of internet objects provides the context that matters to\ntechnology vendors. For consumers of contextual threat intelligence, it means\nfewer false positives and the ability to prioritize real threats. <\/p>\n\n\n\n<p>\u201cWorking with real-world vendors is key,&#8221; according to Spiers. &#8220;The reach of contextual threat intelligence and number of individuals it touches can grow exponentially.&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>1949, 1971, 1979, 1981, 1983 and 1991. Yes, these are numbers. You more than likely even recognize them as years. However, without context you wouldn\u2019t immediately recognize them as years in which Sicily\u2019s Mount Etna experienced major eruptions. Data matters, but only if it\u2019s paired with enough context to create meaning. While today\u2019s conversations about [&hellip;]<\/p>\n","protected":false},"author":149,"featured_media":28891,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[21933,21934,24453],"yst_prominent_words":[24813,24815,24803,24801,3769,24807,24809,24821,24805,3817,24811,4043,4531,4065,10739,24819,24817,3569,3789,3481],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/28889"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/149"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=28889"}],"version-history":[{"count":7,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/28889\/revisions"}],"predecessor-version":[{"id":29013,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/28889\/revisions\/29013"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/28891"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=28889"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=28889"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=28889"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=28889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}