How Threat Intelligence Guides Decision Making for Security Leaders
November 21, 2018 • Zane Pokorny
Editor’s Note: Over the next several months, we’ll be sharing excerpts from our new book, “The Threat Intelligence Handbook.” Here, we’re looking at the fifth chapter, “Threat Intelligence for Security Leaders.” To read the full chapter, download your free copy of the handbook.
Threat intelligence provides invaluable day-to-day context for security professionals working in areas like incident response and vulnerability management — but it’s also essential for high-level, strategic decision making. Security leadership at the executive level, particularly CISOs, can use threat intelligence to communicate more effectively with their peers who may not have technical backgrounds.
The digital realm has become increasingly woven into just about every major industry, system, and process that governs our lives. Cybersecurity is not something that anybody in a leadership position can afford to ignore — but that hasn’t stopped people from trying. Numerous business and thought leaders simply don’t keep up on digital technologies well enough to fully understand the risks their use can present.
The most egregious recent example of this is the cybersecurity minister of Japan’s recent admission that he’s “never used a computer.” Astonishing as that might be, it’s easier to believe that many business and political leaders excel in their fields while remaining inexperienced with digital technologies. But that ignorance can lead to a misallocation of resources and open up their organizations (and their customers) to hugely damaging attacks.
One major issue that threat intelligence can address is the difficulty of communicating across different parts of an organization. On this subject, the Harvard Business Review highlights that executives of various branches often care about entirely different metrics — financial, regulatory, technical, operational — when making decisions, frequently leading to conflicting results. Strategic threat intelligence can bridge this gap by presenting relevant information in a format that can be understood by executives who have little time or patience to analyze indicators of compromise or assess risk scores.
In this chapter of our new book, which has been edited and condensed for clarity, we’ll look more closely at how security leaders can use threat intelligence to more effectively communicate their organization’s cybersecurity needs and goals to other members of the executive team.
Threat Intelligence for Security Leaders
The job of the CISO has seen dramatic shifts in recent years. It once centered on making decisions about purchasing and implementing security technologies. Now, CISOs are far more likely to interact with the CEO and the board and to perform delicate balancing acts of pre-empting risk while ensuring business continuity.
Today, security leaders must:
- Assess business and technical risks, including emerging threats and “known unknowns” that might impact the business
- Identify the right strategies and technologies to mitigate risks
- Communicate the nature of risks to top management and justify investments in defensive measures
Threat intelligence can be a critical resource for all these activities.
Perhaps the greatest responsibility of the modern CISO is risk management — taking the resources and budget available and allocating them in a way that most efficiently mitigates the threat of cyber incidents and attacks.
Internal Data Is Not Enough
Taking a risk-based approach to security depends on having good information about relevant risk factors and potential weaknesses in existing security programs. The problem is that too often, this kind of intelligence is only gathered from internal audits, known issues, and previous security incidents. That produces a list of problems you already know about, not a list of the problems you need to worry about today or in the future.
External context is needed to verify risk related to known problems and provide warning about emerging and unforeseen threats.
Internal network traffic data, event logs, and alerting obviously bring value to risk management, but they don’t provide enough context to build a comprehensive risk profile, and certainly not enough to define an entire strategy. Security professionals must be proactive about uncovering unknown risks. Context is what helps security leaders determine which potential threats are most likely to become actual threats to their enterprise.
Sharpening the Focus
Threat intelligence includes information on general trends such as:
- Which types of attacks are becoming more (or less) frequent
- Which types of attacks are most costly to victims
- What new kinds of threat actors are coming forward, and which assets and enterprises are they targeting
- The security practices and technologies that have proven the most (or least) successful in stopping or mitigating these attacks
Data on these trends can help security organizations anticipate which threats will be the hot news items of tomorrow.
But contextualized external threat intelligence can go much further, enabling security groups to assess whether an emerging threat is likely to affect their specific enterprise based on factors like:
- Industry: Is the threat affecting other businesses in our vertical?
- Technology: Does the threat involve compromising software, hardware, or other technologies used in our enterprise?
- Geography: Does the threat target facilities in regions where we have operations?
- Attack Method: Have techniques used in the attack — including social engineering and technical methods — been used successfully against our company or similar ones?
Without these types of intelligence, gathered from an extremely broad set of external data sources, it is impossible for security decision makers to obtain a holistic view of the cyber risk landscape and the greatest risks to their enterprise.
Mitigation: People, Processes, and Tools
Vulnerability scans and techniques such as penetration testing and red teaming can help security organizations understand where gaps exist in their defenses.
But today’s enterprises have far more technical vulnerabilities, more weaknesses in security processes and policies, and more employees susceptible to social engineering techniques than they can possibly patch, harden, and train in the immediate future.
Threat intelligence helps security leaders pinpoint the vulnerabilities and weaknesses that need to be addressed first by indicating:
- Which threat actors are most likely to target the enterprise
- The TTPs those threat actors use, and therefore the weaknesses they tend to exploit
Sometimes threat intelligence can be even more specific. For example, analysts have found hackers on the dark web announcing their intention to attack specific industries, and even specific companies (sometimes to recruit like-minded hackers to assist them).
Analysts monitoring dark web marketplaces can also track the development and sale of hacker tools and exploit kits targeting specific vulnerabilities. It is important to patch vulnerabilities and mitigate weaknesses that are at the point of being exploited before tackling others where exploitation is theoretical.
Deciding how to invest in cybersecurity has become a daunting challenge in recent times. Financial investment advisers Momentum Partners identified more than 1,700 companies in 2017 that specialize in cybersecurity technologies and services. With so many choices, how can CISOs identify the most effective solutions to implement as part of a proactive security strategy?
The only logical way is to make investment decisions based on risk. Each organization has its own unique risk profile, shaped by its industry, locations, and internal infrastructure. Threat intelligence helps security leaders understand their organization’s most pressing threats, making the task of identifying (and justifying) areas for investment much simpler. The end goal is to be able to judge that risk and make investments based upon sound knowledge of the true threat landscape.
CISOs are often challenged by the need to describe threats and justify countermeasures in terms that will motivate non-technical business leaders, such as cost, return on investment, impact on customers, and competitive advantages.
Bombarding them with news about every single threat is not a good option.
Threat intelligence can provide powerful ammunition for these discussions, such as:
- The impact of similar attacks on companies of the same size in other industries
- Trends and intelligence from the dark web indicating that the enterprise is likely to be targeted
Supporting Security Leaders
Threat intelligence needs to be comprehensive, relevant, and contextualized to be useful to members of the security organization. When it comes to CISOs and other security leaders, it also needs to be concise and timely.
For example, threat intelligence can provide security leaders with a real-time picture of the latest threats, trends, and events. A threat intelligence dashboard or some other type of “at-a-glance” format can help security leaders respond to a threat or communicate the potential impact of a new threat type to business leaders and board members.
The Security Skills Gap
One of the responsibilities of a CISO is to make sure the IT organization has the human resources to carry out its mission. Yet, the cybersecurity field has a widely publicized skills shortage, and existing security staff frequently find themselves under pressure to cope with unmanageable workloads.
Threat intelligence can provide a partial answer to that crisis by automating some of the most labor-intensive tasks in cybersecurity and freeing people’s time for other tasks. For example, it can reduce the massive volume of alerts generated by SIEMs and other security tools, rapidly collect and correlate context from multiple intelligence sources, and provide data to prioritize risks.
A threat intelligence solution made available across the security function can save a huge amount of time, as SOC and incident response analysts, vulnerability management specialists, and other security personnel are given the information and context they need to make accurate decisions.
Powerful threat intelligence also helps junior personnel quickly “upskill” and perform above their experience level, so the CISO doesn’t have to recruit as many senior staff.
Intelligence to Manage Better
It’s clear that the greatest challenge for CISOs and other security leaders is how to balance limited resources with the need to secure their organizations against ever-evolving cyber threats. Threat intelligence addresses these issues by helping them to build a picture of the threat landscape, accurately calculate cyber risk, and arm security personnel with the intelligence and context they need to make better, faster decisions.
Threat intelligence enables CISOs and security leaders to stay abreast of current and emerging threats in a way that simply isn’t possible through manual research. But for that to happen, a threat intelligence capability must be comprehensive, relevant, contextualized, concise, and timely. Threat intelligence capabilities without these characteristics will most likely hinder more than help, as partial or inaccurate information can easily lead to poor decision making.
Get the Threat Intelligence Handbook
The full chapter of our book has a lot more content, including a case study looking at how a major global retailer uses threat intelligence to share information across security teams. It’s a story that highlights how essential it is to break down the walls between different organizational “silos” at a large company, and how threat intelligence can add the crucial context to information that every team needs to see but might not always be interested in at first.
You’ll also find more helpful diagrams and figures, including a risk-assessment outline showing an approach security leaders can take when allocating budget and resources.
Read the full chapter by downloading your complimentary copy of “The Threat Intelligence Handbook.”