You've no doubt noticed an increasing number of vendors, researchers, consultants and others issuing reports detailing information security threats, promising new insights about the latest attacks, vulnerabilities and exploits. While many are valuable, the sheer amount of available information can be difficult to manage and digest. More importantly, the information may not even be applicable to your company's environment.
It is important to evaluate any threat report by the size of the data sample it relies on and the experience of the researchers involved in creating it.
The art of information security management is often more about managing time and resources than technology, and such is the case when it comes to Internet security threat reports. In this tip, we will discuss how to take advantage of threat report data without being overwhelmed by it.
More threats, even more threat reports
The number of vendor-sponsored threat reports is increasing because they serve a dual role for their authors. They not only inform the cybersecurity community about threats, but they also provide an important marketing function for their sponsoring companies. The reports are formatted to be easily understood -- often beginning with executive summaries, followed by extensive written analysis, ample charts and graphs, and even raw data -- and attractive because they really are marketing material.
The information can be somewhat dramatized in these reports; keep in mind that first and foremost, they are marketing material. An antivirus company, for example, is going to use its reports to emphasize the quantity and negative effects of malware infections to try to sell more antivirus software. This doesn't mean the data is invalid or the report is unusable; it's just context for the facts that are presented. That being said, it is important to evaluate any threat report by the size of the data sample it relies on and the experience of the researchers involved in creating it.
An often-overlooked feature of these reports is that they can be useful for end-user or executive security education. As mentioned above, they were initially created as marketing material, so most have a clear message packaged in a polished format. I have often used the annual Symantec Internet Security Threat Report when talking about malware trends. I have also used the annual Verizon Data Breach Investigations Report to demonstrate how patching vulnerabilities and running Web application vulnerability tests can reduce the chance of data breaches.
How to best use Internet security threat reports
The first step to managing threat reports is to find a way to make them actionable. I prefer collecting security threat information from multiple sources and aggregating them into an RSS newsreader like Google Reader or Feedly. The vendors and consultants that generate these threat reports often release facts from the reports to news sites or through their own RSS feed. I can comb quickly through the bits and pieces of information they release and determine whether the full report justifies further investigation. This drastically reduces the time I spend reading irrelevant information, and I can read what matters to me when it's convenient; for instance, on my phone or tablet while waiting in line for groceries.
The second step to making this information more actionable is to know how these threats can apply to the company technology platforms that must be protected. Every security manager should know exactly where the company's key information assets are located and which technology platforms they are using. Use this information to focus on threat reports that are specific to your organization's most important information assets. For example, if your organization has made a large investment in Microsoft products, it makes sense to prioritize reviewing Microsoft-related threat reports. Other reports that cover technologies that aren't mission-critical can build up in your RSS reader to review later.
Although the larger, general security studies, such as the Verizon DBIR, don't typically contain the timely tactical advice needed by information security managers, they are just as useful. You can use them to understand the past threat environment and to validate previous information security strategies. I have often found, for example, that a change in my defensive tactics during previous years is often reflected in the conclusions drawn by the Verizon DBIR.
Threat reports can be a valuable source of information for a security manager, if you follow some simple guidelines. Make the information actionable by finding ways to sort through and prioritize it. More is not "better" in regard to threat reports. They are far more useful if you select a few reports that are most applicable to your technology environment. Use the general threat reports for validating and setting strategy, and don't forget that they make great training materials. These guidelines should help you find and use the information in these threat reports more effectively.
About the author:
Joseph Granneman is SearchSecurity.com's resident expert on information security management. He has more than 20 years of technology experience, primarily focused in health care information technology. He is an active independent author and presenter in the health care information technology and information security fields. He is frequently consulted by the media and interviewed on various health care information technology and security topics. He has focused on compliance and information security in cloud environments for the past decade with many different implementations in the medical and financial services industries.
This was first published in June 2013