So You Think Threat Intelligence Isn’t for You?
By Chris Pace on May 1, 2018
- You don’t have to have a dedicated threat intelligence team to get valuable and consumable insights.
- It’s important to embrace the differences between threat analysts and cybersecurity specialists.
- You should understand what constitutes the right threat intelligence for the right security functions.
Among all of the enthusiasm for threat intelligence and the potential it has to help in moving organizations to truly proactive security, we sometimes hear a few nagging doubts among information security professionals. Because beyond the “thought leadership” and the strategic conversations are dedicated teams who need to be sure that any initiative they invest in is going to bring real security benefits as well as significant increases in efficiency.
Isn’t Threat Intelligence Just for Elite Analysts?
One of the biggest preconceptions we come across is that you need experience as a super spy or must possess highly tuned analytical skills to get any kind of value from threat intelligence. Now, it’s true that there are businesses and most obviously, government organizations, who have threat intelligence teams made up of analysts and researchers who are dedicated to producing and communicating intelligence to the teams who need it.
These functions are often seen as ideal for disseminating finished intelligence around a business, whether operational security teams or members of the board. In fact, these in-house threat intelligence teams are actually very rare. This is primarily due to the complexity and cost of hiring adequately qualified people. Cybersecurity is still a relatively new field that’s already suffering from a well-publicized skills gap.
The answer is not to try and plug a cybersecurity specialist into the role of threat intelligence analyst, as the jobs require different skill sets. Palo Alto Networks explains these different capabilities with a simple illustration:
It’s like the difference between scientists and engineers. Scientists, like threat intelligence analysts, spend much of their time researching a subject over time to learn its behavior, motivation, and technique. They then publish their findings so others can apply that research in a practical way. Engineers, like cybersecurity specialists, apply the knowledge gained by scientists to the real world by building machines or writing code to produce the desired effect and then maintaining that machine or code over time. Not everyone in cybersecurity is meant to be a threat analyst.
Integrate Intelligence to Empower Security Teams
The function of threat intelligence teams is now being regularly outsourced to service providers with dedicated capabilities, but that doesn’t mean that there aren’t also more immediate ways to provide the right kind of intelligence to enhance a number of roles in different cybersecurity teams.
Ultimately, threat intelligence is useful if it helps you to defend against attacks, so for lots of organizations without the luxury of a threat intelligence team, the best way to get value from intelligence is by ensuring their security platforms can easily ingest it and make it understandable and applicable for a security professional. Many of these security functions are looking to automate as many of their operations as possible — this is the result of the sheer volume of alerts, incidents, and vulnerabilities they are bombarded with.
The ultimate goal is to prevent as many attacks as possible, identify targeted threats, and be confident that security staff have easy access to the intelligence and context that enables them to prioritize with speed and above all, absolute confidence. A mantra we regularly repeat is “more isn’t better, better is better.” For busy security teams, more data almost certainly not equal better prevention, detection, and response. Security-focused roles are looking for intelligence that’s relevant to them and that is readily consumable.
Security Roles That Have the Most to Gain From Threat Intelligence
There’s certainly an argument that every role in a comprehensive security strategy has something to gain from access to relevant threat intelligence. But here you can see the most common job functions and the significant benefits there are to be gained:
Security Operations Centers: Intelligence that integrates with existing security platforms adds vital context to alerts from internal event and log data.
Incident Response: External threat intelligence arms the incident responder with vital context. This knowledge can hugely accelerate the initial phases when responding to an incident.
Vulnerability Management: Augment vulnerability scanning with real-time context around CVEs — helping you to prioritize patching with insights into proof of concepts, exploits, and malware.
CISOs and Security Leaders: Threat intelligence helps to build a picture of the threat landscape, accurately calculate cyber risk, and arm security personnel with the intelligence and context they need to make better, faster decisions.
You can get more insight into how threat intelligence has a vital contribution to make in every role of security by reading our new white paper, “Busting Threat Intelligence Myths: A Guide for Security Professionals.”