What does threat intelligence look like in practice? Why is it important? We look for answers with Visma.
Threat intelligence is one of the more critical things to address as a business within your cybersecurity policy. It allows you to understand threats before they reach critical systems, allowing for timely targeted action. It also allows you to respond to data breaches, for example. If you properly arrange threat intelligence, the quality of services and products will remain partly guaranteed.
Visma knows this need and has set up the Visma Security Program. This includes services to make the software more secure. Threat intelligence is one of those services. Visma’s IT brands, which are often too small to handle threat intelligence themselves, are taking advantage of it, taking their security efforts to the next level.
Also read our story explaining the Visma Security Program.
Information, information, information
If we look at how Visma manages it centrally for its subsidiaries, the first thing to note is that to take advantage of threat intelligence, a lot of basic information about a subsidiary is required. This involves pure business information, such as office locations and social media channels. On the other hand, this includes more IT- and application-related information. In that case, it’s more about IP addresses, domains, cloud resources, production and application environments.
That information is needed since threat intelligence is a security discipline involving scanning of the internet. For example, one looks on the dark web to see if potentially dangerous events occur there. If there is a hit, Visma then investigates further. In this investigation, Visma’s information about the subsidiary can help. This is because it can be determined whether the potential threat can be linked to one of the Visma companies or users.
Mitigate risk
Suppose Visma comes across leaked account data during this work. The threat intelligence experts want to determine who the data belongs to. “They then look at what data is involved and how long it has been live,” he says. With credentials, Visma quickly identifies that the data is leaked and mitigates the risk before it becomes a problem. But it’s sometimes a search of who the data belongs to. After all, we don’t want to buy those credentials because that’s how you perpetuate crime. So we depend on other analysis methods,” says Cindy Wubben, Chief Information Security Officer Public Segment and Benelux at Visma.
Wubben points out that Visma faces several situations in determining who the account data belongs to. For example, there was a situation where, based on leaked personal information, Visma could figure out which person was affected by the leak. “Based on the leaked data, you see quite a lot, and a profile emerges. You can derive a lot from it. For example, when someone renovates his house, you can see that he has been to the hardware store. Based on the school accounts, you can see what region he lives in or what schools the children attend. All that kind of information tells you who it is. That’s how we know where to take action,” Wubben outlines.
So when credentials are leaked, Visma can determine that one of its subsidiaries, customers or suppliers has been affected. The victim is notified as soon as possible to proceed with risk mitigation. The threat intelligence team can also help with follow-up steps, such as reporting the incident. After all, the team has the relevant information about the leaked credentials and knows how to follow up on the threat successfully.
If it involves a small Visma company, this can also really add value. Such a small party did not have such threat intelligence before the acquisition by the parent company Visma.
You also want to have threat intelligence in advance
The kind of threat intelligence we covered in the previous sections relates to acting on threat after the fact. In an ideal scenario, as a company, you act proactively, i.e. act before a threat becomes too big. Wubben explains that for this, Visma looks much more at what is happening in the world. “It’s not about threats already harming us, but that we can be affected by. We then look at what attack methodologies are commonly used. We further research those methodologies to determine how we defend against them. Will such an attack methodology be able to attack one of our systems successfully? If so, we will immediately take necessary measures,” Wubben said.
So, this proactive approach immediately makes systems more secure. In addition, Visma’s threat intelligence team gains insight into trends in cybersecurity. Visma disseminates this information throughout the organization by reporting on the threat landscape. This includes what a security expert can do to avoid new threats.
Continuously informed
The information analyzed by the threat intelligence team is very detailed. The team then makes the information more understandable, delivering weekly reports on the threat landscape. Wubben gets the most out of these reports that the threat intelligence team provides weekly. These reports keep security experts who don’t spend all day working on threat intelligence up to date on the latest trends. Of course, they are personally notified earlier if a threat specifically threatens their business.
Recent weekly reports show that infostealers, DDoS attacks and ransomware are hot. Wubben points out that that trend is global; the threat intelligence team also looks at how vital those threats are to Visma companies and users. To do this, the team maps out which sectors and countries are often targeted. Financial services and education, for example, regularly come up in recent weekly reports, something Visma then has to respond to because it operates in those sectors. This also works the other way around – construction and manufacturing often surface, but Visma’s software doesn’t run much in those industries. In addition to this categorization by sector, the threat intelligence team also looks at the countries and regions where the new threats and techniques are common. Of course, the trends change frequently. The lists of most attacked industries, countries and regions change almost weekly.
Also listen to our podcast in which we spoke with Visma about the software vendor’s security policies.
Looking further in-depth
In addition to this focused monitoring of cybersecurity threats, Visma also looks at global developments for proactive action. This relates more to events that dominate world news. In recent years, this has involved the coronavirus, for example, and now the war in Ukraine is a significant topic. Cybercriminals can use such events to refine their attack tactics. Wubben cites as an example an announcement by the Dutch government to start supporting Ukraine with the delivery of F-16s. Such situations have the potential to unleash more state-sponsored attacks on the Netherlands.
Visma’s threat intelligence program always assesses global developments individually. Do they need extra attention from threat intelligence? If so, Visma looks at which member of the threat intelligence team best fits the additional monitoring for the news event. This way, there is someone with feeling and expertise for a topic on the case.
It can also be determined to set up meetings around a news event or cyber threat. These can be meetings with local Visma experts but also with outside experts. In this way, threat intelligence is kept at the highest possible level.
Striving for secure systems
The behind-the-scenes look at cybersecurity at Visma shows that threat intelligence can add value to businesses. By integrating reactive and proactive measures, Visma stays ahead of cyber threats as much as possible. All monitoring activities ultimately lead to systems remaining secure and the quality of services and products up to par.
2 days ago
