In just a few short years, the discipline of threat intelligence (TI) has grown from something on the cutting edge of cybersecurity, to a must-have feature for any CISO serious about effectively managing online risk. Allowing organizations to finally move from a reactive to a proactive posture, it can accelerate and improve incident response during an attack, enhance forensic investigations and red team exercises, and help IT teams build-in resilience to future threats by feeding TI into security tools.
These are crucial capabilities in a world where the rising volume and sophistication of attacks threatens to overwhelm stretched IT security teams.
Just how much pressure are CISOs under today? The growing complexity of IT infrastructure, an explosion of cloud-powered IoT and mobile endpoints, board demands for digital transformation, endemic skills shortages, and an increased regulatory burden led by the GDPR could each be the cause of a few sleepless nights. But together they represent a major challenge demanding an innovative, proactive response.
Skills shortages are especially problematic. According to the latest data, there’s a shortfall in cybersecurity practitioners worldwide of around 2.9 million, including 142,000 in EMEA. Over half (59%) of those polled for the study said their organization is at “extreme or moderate risk” due to staff shortages. Threat intelligence was highlighted as one of the most important areas to prioritize going forward as demand grows.
From reaction to prevention
A recent report from an independent Cyber Resilience Think Tank also highlighted threat intelligence as a priority for organizations. “As a security industry, we have to move away from being in a constant state of reaction,” one member commented. “I want to minimize damage to my organization — I want prevention.”
This is where the power of TI in supporting effective decision making becomes crucial. It’s made possible through several key stages:
By collecting data from as broad a range of reliable sources as possible, you get high quality TI. It needs to be sourced from the open, deep and dark web, including closed forums used by cyber-criminals and hacktivists, as well as more typical places such as threat databases, sinkholes and honeypots, community partnerships, and even monitoring of social media.
Data processing and delivery
Once it’s been gathered, that data is sorted and enriched via automated threat classification and scoring, open source intelligence (OSINT) human intelligence (HUMINT) and other methodologies. The “secret sauce” is in joining the dots to connect a specific threat with a threat actor, for example. It’s all about providing fresh, targeted, contextualized intelligence on which to base key decisions to identify, prioritize and respond to threats.
Visualization and dissemination
Once the TI has been generated, it must be presented in a way that maximizes the productivity and effectiveness of your limited team of analysts and security professionals. Some TI can be fed directly into firewalls, intrusion prevention systems and similar so that you start to gain resilience against threats that have yet to appear but which may have been spotted in the wild and targeting your sector. It’s also important to remember that TI consumers at a DevOps level will have very different requirements to the CISO, for example. That’s why some TI platforms and portals will offer customized real-time dashboards and reporting tailored for specific roles in the organization, ensuring you get maximum ROI.
You may be overwhelmed with unstructured threat data feeds unless they can be aggregated, managed, processed and enriched with the requisite contextual information through a single TI technology or vendor-specific tool, like Threat Compass. This solution will then ideally present TI functionality to teams via a discrete set of modules covering areas like: credentials, malware, credit card data, data leakage, social media, hacktivism, and more.
With these elements in place, CISOs can begin to get smarter about how they tackle cyber risk. That means not only integrating TI into security infrastructure to better fortify systems against future attacks, but also accelerating detection and response, and collecting vital intelligence post-attacks which can be used to improve resilience.
Threats facing modern organizations can vary from relatively unsophisticated spray-and-pay ransomware to targeted information theft and covert, spear-phishing-led raids. The best threat intelligence will help you to make sense of the noise out in the threat landscape to proactively prepare for the worst the black hats can throw at you. And in a worst case scenario, it can also help organizations to respond quickly to successful attacks by finding credentials, credit card or other stolen data on the dark web before it can be monetized.
With these capabilities in the back pocket, the average CISO will be able to manage risk more effectively, and in so doing provide a secure foundation for accelerating the digital transformation efforts all boards are demanding. It might even lead to one or two fewer sleepless nights.