2 Common Barriers to Effective Threat Intelligence
March 30, 2017 • Monica Todros
When it comes to generating useful threat reports, it can be exhausting to wade through the noise of network activity. But don’t be deterred.
With a combination of advanced threat intelligence, and a team of analysts who know how to use it, you can convert the massive amounts of available data into actionable insights.
Of course, building a mature threat intelligence capability is far from easy.
In a recent webinar with SC Media titled “Implementing Threat Intelligence,” Bryan Spano, Founder and General Manager of KSA Cyber, explained what threat intelligence really is, and broke down the most common barriers companies face when building it into their security operations.
Barrier 1: Using Threat Intelligence in Isolation
To properly understand the definition of threat intelligence, and its role in the cybersphere, it’s important to recognize what threat intelligence is not.
Threat intelligence is not technology that you “plug and play,” nor is it simply a vendor-bought product to be used by “the security guys.” Threat intelligence, when implemented correctly, should be right at the center of your security strategy, and must permeate the entire security function.
Quite simply, it’s ineffective when used in isolation.
Of course, it isn’t enough to know what threat intelligence isn’t, we need to know what it is. During the webinar, Spano defined cyber threat intelligence as follows:
Cyber threat intelligence is knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed, and disseminated in ways that help security and business staff at all levels protect the critical assets of the enterprise.
The key word here is disseminated.
Threat intelligence should be the focal point of your security strategy, utilized by security team members with a wide variety of responsibilities. In this way a continuous analytics cycle can thrive, enabling threats to be accurately detected, assessed, and remediated.
Without a solid threat intelligence process, though, the chances that your analysis will yield actionable results are slim to none. A strong methodology will not only allow your team to evaluate any threat that appears on their screens, it will also enable them to make informed decisions about whether or not a specific threat applies to your organization.
In order to build a powerful intelligence process, then, start by defining the questions you (and your team) are looking to answer.
What methods will the enemy employ? Where will the enemy attack?
Adversary-based questions, for example, should be centered around what an attacker might do, as well as what capabilities they might have that could make you vulnerable to them. Gaining a deeper understanding of your adversary’s motives will help you identify your intelligence requirements, and move on to collecting data that meets those needs.
Once you understand what your organization’s needs are, you’re ready to develop your threat intelligence process.
A powerful threat intelligence process should combine both human and technological inputs. Data should be collected, processed, and contextualized automatically, before being passed to skilled analysts for further consideration. Once incoming threats have been triaged, the most urgent and important threats should be disseminated to the relevant security functions for processing.
In order for your threat intelligence program to meet your organization’s needs, each of these separate elements must be in place, and must function cooperatively. If any part of the process is missing, or attempts to operate in isolation, your program will suffer.
For additional insight, watch this two-minute video featuring our own Levi Gundert:
Barrier 2: It May Be a People Problem
Even the most relevant, cutting-edge threat intelligence is close to useless if you don’t have personnel with the skills and knowledge to do something with it. And, unfortunately, there’s a huge skills gap in the threat intelligence industry.
And the skills gap isn’t the only problem. Many leaders have limited experience of managing security operations, and don’t have the knowledge or experience to make effective hiring decisions. In many cases, this “knowledge gap” results in hiring unequipped personnel, poor organizational placement, and strategic decision-making that isn’t aligned with requirements.
It isn’t enough to simply employ people with strong technical skillsets. Intelligence professionals must understand your threat intelligence process, and they must also act as subject matter experts who can advise senior executives with strategic, investment, or hiring decisions.
Having at least one person on your team with advanced skills in threat intelligence is advisable, but you should also look for opportunities to develop those existing technical employees who have the aptitude and willingness to learn.
Ultimately, your threat intelligence capability will live and die on the quality of your personnel. Whether you can develop existing employees, or you need to hire in talent from elsewhere, investing in dedicated personnel is the only way to ensure your intelligence needs are met.
And whatever you do, don’t assume technology can make up for weaknesses in your team. It can’t, and pretending it can will inevitably result in wasted time, energy, and resources.
Bridging the Gap
If you’re not ready to invest in top notch talent, there’s another option open to you. By outsourcing analysis work to a managed security service provider (MSSP), your organization can start benefiting from actionable threat intelligence while minimizing risk exposure.
By utilizing an MSSP to focus on specific intelligence functions that are in line with your organization’s specific needs, you can improve the efficiency of your internal processes while also dramatically enhancing your security profile.
Making use of MSSPs alone, however, isn’t enough to achieve the advanced threat intelligence capability discussed above. MSSPs generally only have one single stream of threat data, which doesn’t give you the context needed for a well-rounded analysis process.
In a recent case study, Fujitsu UK, who provide managed security services, offered insight into the benefits of integrating threat intelligence powered by machine learning into its platform, over and above those provided by a single threat feed. This new approach eliminated the need to constantly compare multiple sources around the web, displaying information in a single view instead and thereby saving a significant amount of time.
According to Fujitsu UK, their threat team can now not only spot changes in exploit kits in real time, but also turn data into intelligence and apply context to it. As a result, their customers are able to make more informed security decisions based on the information derived.
While developing your own threat intelligence capability in-house is usually the strongest option in the long run, there are instances when a high quality MSSP can provide an extremely valuable service. Providers like Fujitsu UK, who understand the value of investing in both the right personnel and the best technologies, are an excellent option for organizations looking to get started with threat intelligence while minimizing the level of risk incurred.
Developing a threat intelligence capability can seem daunting, and as a result many organizations put it off for far too long. But it doesn’t have to be that way. There are steps you can take today to start putting threat intelligence at the center of your information security strategy.
A mature threat intelligence capability takes time to build, but with the right leadership, expertise, and process, it can be done successfully.
For more information on how to integrate threat intelligence into your security operations, read our white paper on building a world-class threat intelligence capability.