Blog

The 411 on Threat Intelligence: What It Is, How It’s Used and Why It’s Critical to Network Security

Ted Gruenloh
CEO @ Nomic Networks
April 26, 2019

Imagine what would happen if a neighborhood a few blocks away from yours started getting hit by a string of burglaries. Would you just sit by and wait to be the next victim?

I doubt it.

You and your neighbors would probably start looking through police reports and listening to scanners. You’d talk to the victims to find out any characteristics that might clue you in as to how the perpetrators operated, what they looked like and what they looked for, so you could prevent yourself from being the next victim.

You’d look for patterns, like the time of day the break-ins were happening, how the thieves got in, and the makes and models of vehicles that were spotted around the time of the break ins.

Why would you do all of this police work on your own? It’s simple.

The more you can find out about the existing or emerging threat, the more likely you are to determine the right plan of action to protect your home and your neighborhood from harm.

The same is true with network security.

That’s why actionable threat intelligence—collected knowledge about a potential threat—is a critical component of your overall security strategy. And, taken a step further, a threat intelligence gateway (like Sentinel) not only collects and analyzes that intelligence on an ongoing basis, but also takes action to shut those threats down. That knowledge plus action makes all of the difference in mitigating risk.

Let’s break down how it works.

Using Real-world Data to Identify and Shut Down Threats

The foundational element of the Sentinel threat intelligence gateway is our Collective Intelligence Network Security (CINS). This feed constantly acquires threat data from Sentinel devices worldwide, as well as variety of InfoSec sources; then analyzes it, ranks each threat by severity, and produces real-time threat intelligence.

Like the neighborhood break-in analogy, our next step is to quickly learn everything we can about each prospective attacker. What ports does it talk on? When does it communicate? Does it use encrypted traffic or not? If it’s encrypted, what is the SSL handshake? Essentially, we put a stamp on what the malware looks like so we can virtually see it coming a mile away.

Then, we automatically configure Sentinel devices to use network cloaking to shut the door on those “always bad” IP address so they can’t communicate with, or even see, our Sentinel-protected networks. Instead of just locking the door, we use our knowledge of what’s coming and our proprietary technology to make our customers’ networks invisible to the incoming threat.

Instead of attempting to simply alert you when a breach occurs, we’re preventing attempted breaches from occurring at all, by cloaking your network from malicious scans and probes before they even start.

All Threat Data Is Not Created Equal

It’s important to note that, although a lot of companies create threat intelligence, unlike Sentinel, many gather their data from honeypots and other methods that simulate real-world networks.

At Sentinel, we sit in front of real networks, analyzing real networks, and base our threat intelligence off of real-world traffic. So, we have a clearer world view of what’s happening and, although no threat intelligence is a silver bullet, a better likelihood of shutting threats down before they can do any damage.

It’s also critical to constantly monitor and maintain this information, because the threats are constantly changing. IPs can change hands quickly. Domains can go on and off in a matter of minutes. If a network administrator downloads a list of threats every week, and manually adds it to his or her firewalls, that admin might have a mass of false positives on their hands. At Sentinel, we have a continual feedback loop that shows us when last week’s Russian IP server isn’t owned by a threat anymore, and when last week’s, or yesterday’s, trusted IP suddenly goes rogue.

Our CINS list is dated hourly, and we’re configuring devices in near-real time. So, our customers are well protected from the latest infiltrators, with very few false positives or noise for the internal IT staff to deal with.

Leveling the Playing Field for SMBs

Clearly, threat intelligence is key to mitigating security risk and preventing damaging network breaches. But, traditionally, this level of sophisticated network security was only available to large enterprise customers.

Sentinel has changed all of that, giving SMBs access to the same enterprise-level data and pro-active monitoring as larger organizations enjoy, and do it at an affordable price. In fact, our public threat list is already widely adopted across enterprises and enterprise providers.

Ultimately, Sentinel customers get the best of both worlds: enterprise-grade active threat intelligence and a Sentinel team that is taking the required action on their behalf.

The Numbers Tell the Story

If you’re still not convinced that a threat intelligence gateway should be a critical part of your network security, consider these facts:

By applying active threat intelligence, the incidence of catching blocked malware and ransomware before it penetrates the network goes up from between 10 percent and 40 percent with a firewall corporate LAN or IDS/IPS to 85 percent.1

By implementing an active threat intelligence gateway (like Sentinel), up to 70 percent of all network traffic is identified as malicious and stopped at the perimeter, dramatically improving your firewall’s – and your network’s – performance.2

All of these factors make the right active threat intelligence a smart addition to your network security strategy. It’s the one time in life that intelligence is the no-brainer.

More Info

Sentinel Threat Intelligence Gateway
CINS Army

1 Figures based on research from one of our upstream ruleset and threat intelligence providers
2 Based on our own internal analysis of inbound traffic on some of our busiest customer networks

Ted Gruenloh
CEO @ Nomic Networks

Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.

Subscribe to our newsletter
By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.