Today’s CISOs face an unprecedented range of pressures. They are tasked with creating the secure foundation on which the success of boardroom-led digital transformation efforts rest. They must manage a growing volume and variety of risks across networks, applications, clouds, endpoints, servers and supply chains. And they must do so whilst staying on the right side of regulators in the post-GDPR era.
It’s a difficult job. But finding the right threat intelligence (TI) provider can make it a lot easier. To do that, you’ll need to understand exactly what options are out there. With the right tools working in harmony with the rest of your security infrastructure, you can react quicker to breaking attacks, improve post-incident response and fortify systems more effectively against future raids.
There’s no doubt that modern organizations are besieged by cyber threats on all sides. These can come from nation states, especially those targeted critical infrastructure providers. They can come from hacktivists looking to make a name for themselves. But most often they come from financially motivated cyber-criminals. The UK government warned recently that some organized crime groups are increasingly looking “almost nation-state level” in their scale and capabilities.
The threats themselves have reached epidemic proportions. One security vendor blocked over 20.4 billion threats in just the first half of 2018. Yet while commodity and “spray and pay” approaches do still yield attackers results, the most serious attempts are more covert and targeted. These could range from targeted ransomware like the SamSam variant, to highly sophisticated “ATM jackpotting” and fund transfer attacks on financial institutions. Then there are the breaches of customer data and IP which seem to saturate news coverage today. In many cases, one of the key early steps in the kill chain is the compromise of account credentials.
The repercussions of these rising threat levels are well documented by now. Financial and brand damage, customer churn and potentially even the forced departure of the CISO. Organizations today operate under tremendous competitive and regulatory pressure. The price for a major attack is increasingly the head of the department thought to be responsible.
The value of good TI
All of which makes effective threat intelligence more vital than ever. At a basic level, TI should provide tactical, operational and/or strategic understanding of the factors which lead to attacks, enabling you to mitigate the impact of one when it happens and even proactively prevent a similar attack occurring in future. It’s important here to differentiate between threat data streams and threat intelligence. The former will provide raw data points on threats such as IOCs, but they must be processed, enriched and contextualized to become threat intelligence.
TI must be fresh fresh, targeted, contextual and actionable to be any use to IT and SOC teams. Otherwise it may be out-of-date and/or require more time to interpret — something few IT departments have much of today.
How to choose between solutions
As CISO, you need to ensure all security risk is being logged and managed effectively, and that any emerging threats are quickly understood and mitigated. That requires effective TI. But with so many solutions out there, it can be difficult knowing where to start. Here’s a quick checklist of some of the key areas to look out for:
All-in-one vs modular
A one-size-fits-all approach has some benefits, in terms of usability. But it could cost you a great deal more, and lead to you buying functionality you don’t need. Modular TI offers a more cost-effective route by enabling you to simply select the functionality most suited to your organization.
Threat intelligence is essential, but it also needs to be affordable. There may simply not be enough cash in the coffers to pay upfront for a product, which is where subscription-based pricing can help. It therefore pays to understand how the vendor charges. Are price plans flexible enough to fit with your own requirements?
Your organization will remain seriously exposed to cyber threats if threat intelligence can’t be understood and interpreted by your analysts. It makes sense to look for TI platforms that provide information via user-friendly dashboards and/or TI which has been personalized for individual users and roles.
Alignment and integration
You will gain minimal value from TI that doesn’t integrate with other vendor solutions in your IT stack. Understand if your TI solution slots neatly into your existing security architecture, which could feature third-party solutions in a variety of areas from incident response to vulnerability management. Consider the integration piece on a technical and a process level.
TI is only as good as the data on which it is built. Get that wrong and your business will remain exposed to cyber risk. That makes it essential to ensure you obtain high quality data from a wide variety of sources — both internal and external, machine and human-generated. It also needs to be as fresh as possible. If you find stolen customer card details on the dark web too late they may already have been monetized by fraudsters, for example.
You should also pay attention to who is using TI in your organization. Deliver it to the wrong people in the wrong format and your organization will gain no value from these tools. High-level, highly contextualized information may be useful for the CISO, but tactical teams will likely prefer Threat Intelligence Platforms (TIPs) or SIEM solutions which combine, enrich and deliver multiple disparate threat feeds as a single stream. Or more sophisticated modular TI platforms which offer structured, actionable intelligence from a huge variety of trusted sources.
Ultimately, the final say lies with you. But one thing is certain: threat intelligence is now a key investment decision for the modern CISO. That’s why we’ve produced a Buyer’s Guide to help the process – check it out here.
Still confused about what sort of threat intelligence is out there? Visit our dedicated blog post here for in-depth information.