Threat intelligence has an influential role to play in organizations, but – like any technology-related solution – it must be applied in the right way to meet its full potential. This blog discusses how to maximize resources by deploying the right threat intelligence, at the right level, for your organization.
There are documented cases of entire threat intelligence investments falling down due to perceived complexity or misunderstandings about the overall value to the business. This is exacerbated by the deepening cyberskills shortage which squeezes resources near to breaking point. Hence, implementation is key when it comes to using threat intelligence effectively and efficiently. And everybody in the organization needs to be involved.
Threat intelligence stakeholders break down into two camps: those who operate the function (internal ops teams/analysts, etc.) and those who consume its value (CISOs and the Board). Taking each in turn, we can examine how their perspectives need to feed into the evaluation, deployment and use of threat intelligence systems.
CISOs / Board
The top-down view of threat intelligence begins with defining capabilities and parameters relevant to your organization’s unique situation. So you first need to have done some work profiling your risks at a high level, considering precisely what it is that causes greatest concern.
Retail businesses may wish to maximize their threat intelligence capability around common threat vectors for that industry such as phishing attempts on customers or employees. If you’re in financial services, targeted malware could be higher up your list of concerns. Likewise in healthcare, ransomware is a specific threat that occurs more in this sector than anywhere else.
Looking beyond your industry sector, consider what other business circumstances and attributes attract certain kinds of threats more than others. For example, having a large network of third-party partners that you regularly exchange data with. US foodservice delivery firm DoorDash is at the centre of a supply ecosystem with millions of customers, drivers and food vendors. A recent attack launched by from a third-party led to a data breach involving almost 5m records.
The thinking behind a targeted approach is not to close-off the other avenues of threat intelligence, but simply to establish a purpose-driven threat model. The key is to tie the intelligence you get to a business problem/risk that you have.
CISOs and the Board might start from the assumption that the optimum threat intelligence system is one that blankets every conceivable threat vector to the same extent, thereby mitigating the possibility of being ‘caught out’ by vectors of lower probability. But this disregards the on-the-ground experience of IT and security teams who, faced with such a broad model, could end up so distracted by comparatively trivial alerts that they miss the ones of greatest danger. A recent study found that 72% of CISOs reported concern that their teams had experienced “alert and agent fatigue”. A great way to help is to leverage modular intelligence components that allow you to choose the threat categories that matter most to your business.
Analysts / SOC Team
At the coalface of operationalizing threat intelligence is the internal SOC team. Advocating their perspective means making it as simple as possible to make better, quicker security decisions. They need to spend their finite resources on handling the most worthwhile threat insights, not chasing their tails.
One of the biggest issues for security teams when dealing with threat intelligence feeds is information overload. As outlined above, turning on the firehose indiscriminately doesn’t help address the most probable risks. Around 27% of security pros claim to receive more than 1m security alerts per day, according to recent research, which is completely unsustainable.
Information avalanches frequently result in delays responding to critical security alerts. Should a data breach arise from such a scenario, the security team and management both feel aggrieved: the SOC team because they weren’t given enough resources to cope; management because all of the data was provided but no-one dealt with it.
So choose which feeds are most relevant and get rid of redundant overlaps. Examine whether the alerts being raised are applicable to the real-time environment, or out of date. Freshness is all important in threat intelligence. And if there are feeds already running that never throw up anything useful, carefully consider turning them off.
Another headache is the challenge of correlating data between your external threat intelligence supplier and internal logs. The operational objective should be to gain context and be able to prioritize vulnerabilities. Steer clear of the “can’t see the wood for the trees” paradox by insisting on capabilities that give you a high-definition picture to analyze, rather than lots of unrelated leads to follow up. Feeds alone are just data, not intelligence. Raw data from MRTI (machine-readable threat intelligence feeds) are usually not enough. With the right threat intelligence system in place you can contextualize this data, minimize redundant alerts and get rid of false positives altogether.
To make the most from threat intelligence investments, you can’t afford to ‘set-and-forget’. A little time spent gearing your threat intelligence regime to fit your business needs pays dividends for all stakeholders, maximizing resource efficiency, negating alert fatigue and fundamentally securing the organization before, during and after any cyberattacks.