How Security Intelligence Helps Leaders Make Risk-Based Decisions
May 28, 2020 • The Recorded Future Team
Editor’s Note: Over the next several weeks, we’ll be sharing excerpts from the second edition of our popular book, “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program.” Here, we’re looking at chapter six, “Threat Intelligence for Security Leaders.” To read the entire chapter, download your free copy of the handbook.
Security intelligence — spanning across your entire security strategy — isn’t just for security operations and vulnerability management teams. It empowers security functions throughout the organization to make better, faster decisions and amplify their impact — all the way up to the CISO. Senior security leaders can leverage actionable intelligence to identify real risks and guide critical planning and investment decisions.
While it was once relegated to the IT department, cybersecurity has now become a key business issue. It’s easy to see why: the cost of a data breach has increased by 12% over the past five years and now costs $3.92 million on average. Nightmarish breaches — from Equifax, to Capital One, and more — keep executives awake at night, for fear that a similar breach could cost them their jobs or take down their businesses.
But although cybersecurity is now a top-of-mind concern for C-level executives, many of them struggle to understand cybersecurity risk in technical terms. During board meetings, data-heavy presentations full of IOCs, CVEs, and risk scores are likely to fall on deaf ears. Meanwhile, CISOs face challenges in quantifying and communicating risk in a “dollars and cents” language that their peers can easily understand. This communications gap not only causes decision-making disputes, it also can lead to a misallocation of resources and open up their organizations (and their customers) to devastating attacks.
Security intelligence bridges this gap. Since it’s meant for everyone, it can be easily customized for and consumed by any audience. IT security teams can access deep-dive reports on threats and areas of interest, while executive teams can gain high-level insights to help them understand their overall risk posture and make informed decisions based on risk and ROI.
The following excerpt from “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program” has been edited and condensed for clarity. In it, we examine how intelligence supports risk management and targeted investment in cybersecurity programs, explore which types of intelligence CISOs and senior security leaders find most valuable, and explain how intelligence plays a critical role in bridging the cybersecurity skills gap.
Threat Intelligence for Security Leaders
The job of the CISO has seen dramatic shifts in recent years. It once centered on making decisions about purchasing and implementing security technologies. Now, CISOs are far more likely to interact with the CEO and the board and to perform delicate balancing acts of pre-empting risk while ensuring business continuity.
Today, security leaders must:
- Assess business and technical risks, including emerging threats and “known unknowns” that might impact the business
- Identify the right strategies and technologies to mitigate risks
- Communicate the nature of risks to top management and justify investments in defensive measures
Threat intelligence can be a critical resource for all these activities.
Perhaps the greatest responsibility of the modern CISO is risk management — taking the resources and budget available and allocating them in a way that most efficiently mitigates the threat of cyber incidents and attacks.
Internal Data Is Not Enough
Taking a risk-based approach to security depends on having good information about relevant risk factors and potential weaknesses in existing security programs. The problem is that too often, this kind of intelligence is only gathered from internal audits, known issues, and previous security incidents. That produces a list of problems you already know about, not a list of the problems you need to worry about today or in the future.
External context is needed to verify risk related to known problems and provide warning about emerging and unforeseen threats.
Internal network traffic data, event logs, and alerting obviously bring value to risk management, but they don’t provide enough context to build a comprehensive risk profile, and certainly not enough to define an entire strategy. Security professionals must be proactive about uncovering unknown risks. Context is what helps security leaders determine which potential threats are most likely to become actual threats to their enterprise.
Sharpening the Focus
Threat intelligence includes information on general trends such as:
- Which types of attacks are becoming more (or less) frequent
- Which types of attacks are most costly to victims
- What new kinds of threat actors are coming forward, and which assets and enterprises are they targeting
- The security practices and technologies that have proven the most (or least) successful in stopping or mitigating these attacks
Data on these trends can help security organizations anticipate which threats will be the hot news items of tomorrow.
But contextualized external threat intelligence can go much further, enabling security groups to assess whether an emerging threat is likely to affect their specific enterprise based on factors like:
- Industry: Is the threat affecting other businesses in our vertical?
- Technology: Does the threat involve compromising software, hardware, or other technologies used in our enterprise?
- Geography: Does the threat target facilities in regions where we have operations?
- Attack Method: Have techniques used in the attack — including social engineering and technical methods — been used successfully against our company or similar ones?
Without these types of intelligence, gathered from an extremely broad set of external data sources, it is impossible for security decision makers to obtain a holistic view of the cyber risk landscape and the greatest risks to their enterprise.
Mitigation: People, Processes, and Tools
Vulnerability scans and techniques such as penetration testing and red teaming can help security organizations understand where gaps exist in their defenses.
But today’s enterprises have far more technical vulnerabilities, more weaknesses in security processes and policies, and more employees susceptible to social engineering techniques than they can possibly patch, harden, and train in the immediate future.
Threat intelligence helps security leaders pinpoint the vulnerabilities and weaknesses that need to be addressed first by indicating:
- Which threat actors are most likely to target the enterprise
- The TTPs those threat actors use, and therefore the weaknesses they tend to exploit
Sometimes threat intelligence can be even more specific. For example, analysts have found hackers on the dark web announcing their intention to attack specific industries, and even specific companies (sometimes to recruit like-minded hackers to assist them).
Analysts monitoring dark web marketplaces can also track the development and sale of hacker tools and exploit kits targeting specific vulnerabilities. It is important to patch vulnerabilities and mitigate weaknesses that are at the point of being exploited before tackling others where exploitation is theoretical.
Deciding how to invest in cybersecurity has become a daunting challenge in recent times. Financial investment advisers Momentum Partners identified more than 1,700 companies in 2017 that specialize in cybersecurity technologies and services. With so many choices, how can CISOs identify the most effective solutions to implement as part of a proactive security strategy?
The only logical way is to make investment decisions based on risk. Each organization has its own unique risk profile, shaped by its industry, locations, and internal infrastructure. Threat intelligence helps security leaders understand their organization’s most pressing threats, making the task of identifying (and justifying) areas for investment much simpler. The end goal is to be able to judge that risk and make investments based upon sound knowledge of the true threat landscape.
CISOs are often challenged by the need to describe threats and justify countermeasures in terms that will motivate non-technical business leaders, such as cost, return on investment, impact on customers, and competitive advantages.
Bombarding them with news about every single threat is not a good option.
Threat intelligence can provide powerful ammunition for these discussions, such as:
- The impact of similar attacks on companies of the same size in other industries
- Trends and intelligence from the dark web indicating that the enterprise is likely to be targeted
Supporting Security Leaders
Threat intelligence needs to be comprehensive, relevant, and contextualized to be useful to members of the security organization. When it comes to CISOs and other security leaders, it also needs to be concise and timely.
For example, threat intelligence can provide security leaders with a real-time picture of the latest threats, trends, and events. A threat intelligence dashboard or some other type of “at-a-glance” format can help security leaders respond to a threat or communicate the potential impact of a new threat type to business leaders and board members.
The Security Skills Gap
One of the responsibilities of a CISO is to make sure the IT organization has the human resources to carry out its mission. Yet, the cybersecurity field has a widely publicized skills shortage, and existing security staff frequently find themselves under pressure to cope with unmanageable workloads.
Threat intelligence can provide a partial answer to that crisis by automating some of the most labor-intensive tasks in cybersecurity and freeing people’s time for other tasks. For example, it can reduce the massive volume of alerts generated by SIEMs and other security tools, rapidly collect and correlate context from multiple intelligence sources, and provide data to prioritize risks.
A threat intelligence solution made available across the security function can save a huge amount of time, as SOC and incident response analysts, vulnerability management specialists, and other security personnel are given the information and context they need to make accurate decisions.
Powerful threat intelligence also helps junior personnel quickly “upskill” and perform above their experience level, so the CISO doesn’t have to recruit as many senior staff.
Intelligence to Manage Better
It’s clear that the greatest challenge for CISOs and other security leaders is how to balance limited resources with the need to secure their organizations against ever-evolving cyber threats. Threat intelligence addresses these issues by helping them to build a picture of the threat landscape, accurately calculate cyber risk, and arm security personnel with the intelligence and context they need to make better, faster decisions.
Threat intelligence enables CISOs and security leaders to stay abreast of current and emerging threats in a way that simply isn’t possible through manual research. But for that to happen, a threat intelligence capability must be comprehensive, relevant, contextualized, concise, and timely. Threat intelligence capabilities without these characteristics will most likely hinder more than help, as partial or inaccurate information can easily lead to poor decision making.
Get ‘The Threat Intelligence Handbook’
The full chapter of our book has a lot more content, including a case study looking at how a major global retailer uses threat intelligence to share information across security teams. It’s a story that highlights how essential it is to break down the walls between different organizational “silos” at a large company, and how threat intelligence can add the crucial context to information that every team needs to see but might not always be interested in at first.
You’ll also find more helpful diagrams and figures, including a risk-assessment outline showing an approach security leaders can take when allocating budget and resources.
Read the full chapter by downloading your complimentary copy of “The Threat Intelligence Handbook.”