Why Threat Intelligence Teams Fail (And What You Can Do About It)
By RFSID on February 9, 2017
The cyber security team has hard-working professionals with can-do attitudes, top-quality tools, and years of practical infosec experience. What’s more, they’re equipped with plenty of data coming in from reputable threat intelligence sources.
Sounds like nirvana, since it’s a slam-dunk that the team will stay on top of emerging threats. Right? Well, perhaps not — not if threat intelligence is not understood correctly, is overwhelming, or can’t be operationalized.
According to a recent PricewaterhouseCoopers study, 51 percent of 10,000 global CIOs and CSOs surveyed actively monitor and analyze threat intelligence to help detect risks and incidents.
That’s good, as far is it goes — and yet, even when it’s available, threat intelligence must be provided in a useful form, and applied correctly, to actually improve a team’s effectiveness and an organization’s security posture.
The following are five common reasons why threat intelligence can fail the security team.
1. Misunderstanding the Value to the Business
What type of threat intelligence is important to the business? For example, are business problems being solved by a particular threat feed — or did someone subscribe to the threat intelligence service because the data looks interesting and the charts look cool?
If the intelligence isn’t tied to a business problem, chances are the service is a waste of money.
For example, are you worried about:
- Identifying an insider threat?
- A social engineering scenario tied to physical access at your office?
- The lead up to a nation-state attack?
- A slow and low fraud ring focused on your online retail or marketing presence?
- Risk to your supply chain?
- Potential impact to a M&A deal or IPO event?
Examine the information from the threat intelligence service for its ability to protect your business. Find out if it can help you watch for direct threats against your organization, or to others in your industry. See if it can correlate data from solid external sources against your own internal data, such as logs and alerts, and if those corrections can help you create more effective security policies and rules. Also: How well can it help you prioritize vulnerabilities so you can reduce risk? A fire hose feed where all threats are treated equally won’t help you focus on the biggest dangers.
2. Do I Have the Wrong Feed?
There are many threat intelligence feeds available. If you’re a huge global bank or a defense contractor, a feed consumed by community colleges may not be right for you. If you operate in particularly troublesome regions of the world, your needs are different from those of a company operating in a safer environment.
Consider the source of the data that goes into the feed. Is it raw data? Processed intelligence? Drawn from public data? Private data shared anonymously by subscribers of that feed? Data harvested from the dark web? Figure out what you need, and make sure you have the right coverage — and minimize redundancy. Seeing the same threat reported on two similar feeds doesn’t make it twice as important.
Getting too much information can be worse than having too little. If the feeds overwhelm your staff, too many false alarms and too many fire drills will cause them to lose interest… and perhaps miss something important. Be sure to focus on the information relevant to your business.
Feeds alone aren’t enough for a successful threat intelligence program — you need context into threats that enables you to make quick, confident security decisions without simply drowning in data. Embrace the fact that you won’t meet every goal or address every risk straight away. Ensure that the threat intelligence is relevant to your business and threat landscape.
3. Focusing on the Wrong Thing
Do you stay focused on the feeds themselves, or do you actually look at your entire collection of data — your own internal data (threat, attack, and policy data) + feed data + analyzed information (traffic/event monitoring, user/system activity blocking, rules/policy adjustments) — as a result of ingesting the feed? It’s not trivial to mash them all together. Do you have enough data and metadata? Are you missing the nugget that’s going to give you the value you’re looking for by heading off a real threat? Are you missing the connection/correlation?
Consuming intelligence on a regular (real-time) basis is critical. Sorry, but just looking at the data once a week, or expecting automated alarms to catch all the hazards for you, won’t cut it.
The key is to move from threat intelligence to threat analysis and insight (which makes sense of it all). Yes, there’s a learning curve to understanding the most useful types of threat intelligence and feeds, but most people can handle that, assuming they have the time and resources — and making sense of threat intelligence is time consuming. The ideal solution is to use technologies that enable your team to focus on analysis and not just on data collection.
Ultimately, useful threat intelligence should help you make a risk-based prioritization of threats so you’re focused on the right thing.
4. Drowning in Too Much Data
According to a recent study by ESG, nearly 74 percent of cyber security professionals surveyed already ignore security events and alerts because there’s too much to consume. The teams can’t keep up with the volume, and end up with security data overload.
We’ve discussed some of the causes already, and they include feeds that are intended for the wrong industries, wrong types of companies, and even for inappropriately sized security teams. Another cause is redundancy. Figure out what you need: Do you want raw data on threats and risks? Or do you want actionable intelligence that can help your overworked teams set policies, fine-tune firewall rules, and comb your log files for patterns that match new attacks?
Feeds are data, not intelligence. If they’re just contributing to alert fatigue, effort should be made in getting context that helps teams tie the feeds to business needs — and make faster security decisions. If the information from the feed isn’t being used, perhaps you don’t need it.
5. Inability to Operationalize the Data
About 65 percent of IT leaders surveyed by the Ponemon Institute said that threat intelligence could have prevented or minimized an attack on their organization. That’s encouraging. However, 66 percent of responses to that study were only somewhat or not satisfied with their current approaches because the information is not timely. And 46 percent said the information is not well categorized according to threat type or attacker, so clearly there’s room for improvement.
Threat intelligence alone does not trigger a response to a breach. Yes, threat intelligence can help drive more tactical actions — but the team needs to know what the nuances are, why they matter, and how to use the data to drive the necessary action.
Some types of threat intelligence are perfect for correlating with existing data in a SIEM, and this makes for a great starting point. But a true proactive defense will involve the right tools, processes, and people. We tested this theory — see the results here.
To put it another way: Tools and feeds alone are not sufficient. Effective threat intelligence processes that are aligned with the business are also required. In the same Ponemon study noted earlier, just over one-third of organizations have a dedicated team responsible for centrally managing their threat intelligence.
Operationalizing the threat intelligence doesn’t stop with the leadership team; it needs to flow through all of the relevant parts of the business — technical, ops, legal, and so-on.
Threat intelligence forms part of the center of a continuous monitoring and analytics cycle. It has a role to play for numerous teams with varying responsibilities as they work together to prevent, detect, respond to, and predict the latest known and unknown threats and attacks.
A good information security strategy will evaluate their continuous threat monitoring and analytics processes as part of their threat intelligence selection process to ensure the feed(s) provide value for them throughout each phase.
Threat intelligence is a good start, but it’s only a start.
Is your security team complaining that they don’t have enough raw data about emerging threats and newly discovered attacks to do their job? Perhaps not. Are they drowning in data, some from internal sources, and some from the outside world? Maybe. Is it hard to know how to correlate data with business-centric action? In many teams, absolutely.
Subscribing to a threat intelligence service can be very useful, but make sure it’s the right service for your organization, and the intelligence from that service is relevant and actionable. If not, the threat intelligence isn’t going to make your job easier; it’s probably only making it harder.