February 27, 2018 • The Recorded Future Team
Rather than waiting with the lights turned off and hoping for the best, organizations are increasingly recognizing the value of taking proactive steps toward building a more secure network and identifying cyber threats, building security operations centers, purchasing threat detection technologies, and creating cyber threat intelligence programs that incorporate threat data feeds and help to identify and prevent attacks before they happen. Recent research produced by ESG, a technology consulting group, shows that although about 38 percent of organizations have now had a cyber threat intelligence program in place for between two and five years, many of those organizations still struggle to act upon threat intelligence quickly and consistently.
In fact, among the cybersecurity professionals that ESG surveyed, nearly three quarters said that their work had become more difficult over the past two years. Even in an ideal scenario, the work of a security analyst demands focus and expertise, as well as comfort with ambiguity and incomplete information. But as the need for knowledgeable cybersecurity professionals rapidly grows in a world that increasingly relies on digital systems to function, one thing has become clear: the work simply does not scale.
The professionals surveyed by ESG identified three broad challenges that contributed to the sense that their work had grown harder in the past two years:
Of those three problems, one cannot be directly solved by any one organization: as long as it is profitable for threat actors to carry out attacks, the threat landscape will continue to grow increasingly dangerous. But the problem of a shortage of skills in the industry, as well as the growing number of alerts, can both be mitigated through the use of automated threat intelligence solutions.
As long as they continue to process and analyze threat feeds manually, there will never be enough trained professionals to deal with the volume of data that analysts must deal with today. Instead, ESG advises that analysts should rely on threat intelligence solutions that have the following features:
They draw on a growing assortment of data.
Many threat data feeds are free and publicly available — but they also only draw on publicly available sources themselves. Public data provides only a limited perspective. Threat intelligence solutions should also source from commercial and industry threat feeds, other closed sources like forums on the dark web, reports, and more. It is also important that they seamlessly integrate this data with your organization’s internal data and intelligence.
They have a central management and analysis portal.
A threat intelligence solution should turn this data into something applicable for multiple use cases within your organization — something that not only security analysts but threat hunters, incident responders, risk managers, and so on, can quickly apply to their needs. That takes technology that can take raw data and provide context through comparison to previous sets of data and keep it all in one place so that the different teams in your organization can communicate more easily.
They are customizable.
When each organization’s needs are different and use cases within an organization can vary, it becomes important to be able to filter, sort, share, and add custom notes to the same threat intelligence. A threat intelligence solution should be able to have things like whitelists, blacklists, and risk scores that are relevant to the work your organization does, rather than derived from a more general list of threats.
They are powered by advanced analytics.
Threat intelligence solutions should automate processes that are scaling faster than humans can keep up with — namely, the collection and filtering of data. Advanced solutions rely on natural language processing and vertical search algorithms to get the right data and present it in a way that cuts down the number of false positives and prioritizes the alerts that actually matter.
They integrate well with other technologies.
One of the reasons that security analysts continue to be overworked is because their cybersecurity platforms are built piecemeal from technologies that do not always work well together. Threat intelligence solutions should integrate with security information and event management (SIEM) tools, incident response platforms, trouble ticketing systems, and the other aspects of a network’s security infrastructure, like firewalls, web threat gateways, and so on.
They are supported by skilled services.
Ultimately, threat intelligence analysis is a skill that demands a level of expertise beyond what many organizations have, or else skilled professionals would not be in such high demand. Many threat intelligence vendors provide not only automated solutions, but also skilled support staff that are able to provide expert human analysis as well.
Automation is not a panacea. The future of threat intelligence is not one of man versus machine — rather, the most effective team is one that pairs humans with machines, playing on the strengths of both.
This truth has already been realized in many fields — for example, the strongest chess “player” is not a machine (and since 1997, when IBM’s Deep Blue supercomputer defeated world champion Garry Kasparov, it hasn’t been a human), but a man-machine combination. Chess experts have found that this pairing, which combines a human’s intuition, ability to read an opponent, and creative inspiration, with a computer’s brute-force ability to memorize and predict moves countless turns in advance, produces the strongest results. This format, called “freestyle” or sometimes “centaur chess,” allows even amateur players — assisted by computers — to compete with chess grandmasters. But it also makes a professional into an even more formidable opponent. In fact, Garry Kasparov was among the first to advocate for this new style of play.
The lessons from freestyle chess are broadly applicable to any field where artificial intelligence is useful. Automated data collection, filtering, and sorting allows less experienced cybersecurity professionals to spend more time building their skills instead of exhausting themselves working on laborious processes, and the extra information they are provided will reduce the amount of guesswork they have to do. And for members of your organization with more experience, automation will give them the freedom to focus on more skill-intensive pursuits like threat hunting and deeper analysis.
A well-functioning threat intelligence solution will give cybersecurity professionals the ability to see countless moves ahead; the organizations without such a solution, by contrast, are playing blindfolded.
To learn more about how to make your role in cybersecurity easier, not harder, download your copy of ESG’s “Operationalizing Threat Intelligence With a Complete Solution.”