CISOs are busy people. The chances are you’re balancing a variety of tasks: from communication with the board, to managing incident response, organization-wide training strategies, and a growing regulatory compliance burden driven by the GDPR and EU NIS Directive. This leaves little time to spend on due diligence to help vet new products and services. Yet when it comes to threat intelligence (TI), the sheer range of options out there make it vital to understand first exactly what you should be looking for.
The right tools will make your job a whole lot easier and could even help champion the role of the CISO and the security function as a business enabler. That’s why we’ve come up with 10 key areas where CISOs should focus when deciding what kind of TI solution to buy.
First, it’s vital that any TI solution you choose is designed with the end user in mind. To extract maximum return on investment, you should be looking for a platform that can be used by as many relevant people in the organization as possible. The last thing you want is for only a handful of highly skilled analysts to be able to interpret the intelligence produced.
Consider whether you need an all-in-one or a modular solution. Although the former may seem like an easier purchase, it can actually lead to functionality you don’t need. Modularity offers a variety of functionality which can be purchased piece-by-piece, supporting more flexibility in how you use TI.
While you want flexibility in how you buy and use the product, you also need flexibility in pricing. TI is usually purchased as a subscription. If so, can the vendor offer discounts for large numbers of users? Also, watch out for extra hidden charges for additional reports and feeds.
If your TI doesn’t integrate well with other parts of the security infrastructure it could seriously impede your ability to enhance your cyber defenses. Make sure threat feeds can slot neatly and directly into SIEMs, endpoint solutions, firewalls, intrusion prevention tools and more so you can start building resilience to threats.
The type of data you source for your threat feeds is all important. It should come from as broad a range of source as possible, both human and machine-generated, internal and from third-party sources. These could include social media; analyst reports; sinkhole sensors, honeypots and crawlers; government agencies; AV feeds; and URL/DNS/IP lists.
Once you’ve made sure the data that gets turned into intelligence is obtained from a variety of reliable sources, consider the freshness of that data. The speed at which the threat landscape evolves is such that only ultra-fresh data will do.
Data is only useful is it’s targeted and actionable. That means it must be contextualized. Without context, feeds are almost meaningless. Information relevant to your sector can be particularly useful in providing early warning of emerging threat campaigns.
Who is using TI in your organization? It’s an important question to answer to make sure that you purchase the right solution. CISOs may personally get little value from tactical threat feeds but favor high-level contextualized reports, for example. There are different models for consuming TI, from high volume, low context feeds to low volume, high context reports. Threat Intelligence Platforms (TIPs) may be a good option to help combine, enrich and deliver disparate threat feeds as a single manageable stream. Or you may be looking for a more holistic TI solution offering a broader sweep of data sources and context.
It pays to invest in a platform that has the potential to scale as your organisation grows and as your TI needs evolve. Being forced to ditch a platform which security teams have grown used to will impact productivity and hit the bottom line.
Finally, does the TI solution align with your security strategy? CISOs need tools that help them identify security gaps, meet rigorous compliance requirements and ultimately support growth by identifying and managing business risk. If the solution isn’t working for you at a strategic level then it’s probably not the right platform for your organization.
With the above in mind, CISOs can hopefully begin to make sense of the myriad options on the market. With a cybercrime economy now said to be worth as much as $600 billion annually and growing, attackers have a wealth of resources at their disposal to launch attacks, as well as a ready-made market for their stolen wares.
But threat intelligence offers organizations a valuable opportunity to turn the tables and get ahead of the bad guys for the first time — by predicting where threats will focus, responding with speed when an attack does hit home, and feeding red team exercises and forensic analysis to improve resilience for the future. That’s the kind of approach that will make a name for security in the organization, for all the right reasons.
To understand how Blueliv can help you choose the right threat intelligence tools for your business, check out our Buyer’s Guide to Threat Intelligence here. We’ve also got plenty of information about Threat Intelligence more generally on our blog, which you can visit here.