Let’s observe for a moment nature all around us. Each species has developed a method of defense based on a single criterion — the capability of its main predator. Some animals bet on speed, others on protective shells, others on camouflage, the list goes on and on. Inventiveness is limitless but the objective is consistent:  defend against “THE” main predator of the species concerned.

So what about our cyber defense strategies?

Our approach is quite different. Regardless of our industry or location, we all use the same anti-spam gateways, the same web gateways, the same firewalls, the same anti-virus and the same intrusion detection tools. The signature updates of these tools are provided by the same publishers without taking into account whether we’re a bank or an energy supplier, or whether we’re located in France, Latin America, or have offices around the globe.

In short, our defense strategy seems to bet on the fact that we all have the same predator.

However, an analysis of incidents reported by any SOC, very quickly shows a different trend. While companies in all industries and geographies share the same background noise, for which conventional solutions provide reasonable coverage, most of the risk organizations face is related to two main factors:

1. Organized cybercrime campaigns that are executed in your local language, using regional context and, thus, are more devastating (e.g., highly credible local spear phishing campaigns).
   
2. Highly specialized adversaries who target your industry and relentlessly launch innovative campaigns against specific targets they have in their sights.

It is very clear that we do not all face the same predator.

I’m not trying to convince you to change all your defensive technologies. In fact, these tools are, for the most part, very powerful. The inadequacy comes mainly from relying exclusively on updates to signatures that determine what the tool should block or detect. Instead of helping you defend against a predator specifically targeting you, these technologies only address the background noise.

To adapt your defenses to protect against your adversaries, you need to augment general threat data with specific threat intelligence. Several sources are available:

• National/governmental Computer Emergency Response Teams (CERTs) develop and provide threat intelligence based both on a geography and industry so that organizations can understand and adapt to threats that are occurring locally in their specific sector.
• Information Sharing and Analysis Centers (ISACs) are organized by industry and disseminate to their members threat intelligence that concerns their sector.
• Commercial sources of threat intelligence provide updated threat data differentiated by adversaries, targets and geographic regions.
• Open Source Intelligence (OSINT) sources are less targeted but very numerous and provide free threat data that can provide valuable insights.

The use of these threat data sources as an adjunct to updates from traditional publisher updates makes it possible to adapt your protection and detection to the predators that pose the greatest risk to your organization. This approach to cyber security puts threat intelligence at the heart of the defense system and echos what we see in nature:

Keep an eye on the predator to better protect yourself.