What Is Threat Intelligence?
If SIEM helps IT professionals prioritize the most important alerts and logs with local context, then threat intelligence advances the technology even further by adding global context. Threat intelligence isn’t just a cybersecurity addition you buy or bolt onto your SIEM solution; it can be several different services, data feeds or additional products used to upgrade your security information at every level of the organization.
For K–12 school districts, threat intelligence can be the edge that lets under-resourced IT teams quickly decide where to dedicate attention right away and what alerts can fall to a lower priority.
There are several different ways threat intelligence can help K–12 IT administrators focus on the most important security threats quickly.
How Does Threat Intelligence Help K–12 Teams Prioritize Threats?
Start with desktop and laptop EPP software, which provides web content filtering and protection from malware and helps to harden the local operating system with additional firewall tools. Typical EPP products generate numerous logs indicating they’ve blocked some action — a malware infection, a prohibited URL and so on.
K–12 IT teams may look at these logs for the users with the most alerts to identify who needs additional education on good security practices to remember the “rules of the road” for the school. That’s a long-term, slow process that may or may not pay off before the students move on or change their habits.
Enter threat intelligence.
One of the common components of a threat intelligence program is an indicators of compromise (IOC) feed. When a particularly dangerous security threat is detected, vendors and government teams quickly put together IOC lists that can show that an individual device is currently compromised.
For example, in many Trojan and ransomware attacks, the compromised device will try to connect to a command-and-control server to receive instructions. While a desktop firewall can block outgoing connections to suspect devices, the IOC feed can elevate the outgoing connection log from the EPP to a specific threat and specific known compromise. This lets the school’s IT team know immediately that it needs to move quickly to isolate a particular device already on the network — a clear and straightforward action to reduce security risk that provides maximum effect for an already busy team.
How Does Threat Intelligence Help K–12 Teams Secure Their Networks?
Threat intelligence can also assist IT leaders with patch management. K–12 districts with dedicated security teams can use threat intelligence to help prioritize their vulnerability analysis and software patching and updating processes.
For example, a typical IT team receives notices from its software vendors about updates in a constant and time-consuming stream. Deciding which patches to prioritize and which to strongly enforce can be highly idiosyncratic: How a vendor advertises a patch, how an analyzer rates a vulnerability or even a blog entry from a security researcher can act as a trigger to set priorities.
Threat intelligence helps bring organization to patching chaos by showing a direct relationship between a known security threat, such as a ransomware campaign or phishing attack, and an unpatched vulnerability in clients and servers. IT teams know that no organization can be fully patched all the time, but threat intelligence can help identify currently active threats, especially to K–12-specific software tools, and then prioritize patching to counter those threats.
Threat intelligence isn’t a revolutionary idea; it’s the evolution of security information management and response based on the needs of security teams in every industry. K–12 IT teams can leverage threat intelligence with security products such as IPSs, firewalls, and SIEM solutions to identify and prioritize security hot spots in their networks that need immediate attention.