Why You Shouldn’t Wait to Implement Threat Intelligence
June 19, 2018 • The Recorded Future Team
- Threat intelligence is often perceived as “out of reach,” but in reality has practical applications for organizations of all sizes.
- Operational security teams can save time and improve effectiveness using real-time insights from threat intelligence.
- Making risk-based decisions without external context is functionally impossible. Threat intelligence puts internal data into the context of the wider threat landscape.
- Waiting until “you’re ready” will only make your current problems worse. Threat intelligence informs better decision making at every stage of the security lifecycle.
Threat intelligence is often perceived as being “out of reach” for the typical organization.
Supposedly, unless you’re a large organization with big security budgets and highly experienced analysts, threat intelligence isn’t for you.
Even the name doesn’t help. When you hear “threat intelligence,” it’s easy to imagine military-style bunkers full of bustling uniforms, incomprehensible codewords, and huge flat panel monitors on every wall.
Fortunately, none of this is accurate.
In reality, threat intelligence has an important role to play at every stage of the security lifecycle. From informing investment decisions to expansion planning, threat intelligence can have a meaningful impact on productivity and cyber risk management almost irrespective of an organization’s size or budget.
3 Ways Threat Intelligence Informs Better Security Decisions
Rather than thinking of threat intelligence as something “for later on,” think of it as a tool for making better, faster decisions throughout the security function. For instance, here are three of the most common threat intelligence applications for organizations of all sizes:
1. Combat Alert Fatigue and Prioritize Vulnerabilities
Perhaps the most obvious use of threat intelligence is empowering security professionals to make better, faster decisions during the course of their work.
Security operations analysts are usually some of the busiest professionals in the industry, and are constantly buried under increasingly large piles of security alerts and incidents. Unfortunately, processing, prioritizing, and triaging alerts is a tremendously long-winded process, particularly when done manually, and as a result a large proportion of alerts are never reviewed. Naturally, this creates a tremendous security hole for most organizations.
At the same time, vulnerability management teams have a similar conundrum. It simply isn’t possible to “patch everything,” and even if it was, the impact on business operations would be untenable. There simply aren’t patches available for every single vulnerability, and most organizations have at least a handful of legacy systems in place with security holes that can’t easily be remedied.
So what’s the solution? Prioritization.
For prioritization to be effective, vulnerability management teams must understand what’s going on outside their organizations. It’s helpful to know which systems are most business critical, certainly, but unless they know which vulnerabilities are most likely to be exploited by threat actors, making sensible patching decisions is going to be impossible.
Threat intelligence provides operational teams throughout the security function with the real-time insights they need to make faster, more informed decisions every day.
2. Identify Leaked Data and Threats to Your Brand
What non-security people often don’t understand about cyberattacks is that when they happen, nobody sounds an alarm. Sadly, a lot of the time successful cyberattacks are never discovered, and even when they are it’s typically a long time after the event.
According to The Ponemon Institute, organizations in the U.S. take over six months on average to identify a data breach. And the longer it takes to identify a breach, the more expensive it is to contain.
So if there are no alarm bells, how can you identify and contain breaches promptly? Simple: incorporate dark web threat intelligence into your security function.
When credentials, customers’ PII, and proprietary information are stolen, they are usually sold via dark web markets and other hidden meeting places. Powerful threat intelligence will enable your security teams to identify these types of data in real time if and when they turn up online, and take action to contain the situation.
3. Make Genuinely Risk-Based Decisions
Once again, this comes back to budgets. While security budgets have risen substantially in recent years, there still isn’t an organization in the world that can afford to pursue every possible avenue of security. The threat landscape is simply too large and evolving too quickly for a “total 100 percent security” policy to be remotely feasible.
This is why risk management is such an important aspect of security. If you can identify your most pressing cyber threats, you can allocate your resources in the most effective way possible.
But there’s a problem. Everybody talks about the importance of cyber risk management, but making risk-based decisions is functionally impossible without context. Internal network data is a valuable tool, certainly, but without an understanding of your wider threat landscape there’s no way to know where your greatest threats lie.
Threat intelligence plays arguably its most vital role here, because it puts internal data into the context of the wider threat landscape and helps security experts understand how, where, and even when they are most likely to be attacked. In turn, security leaders can design and build a security function that best equips their organization to deal with real-world threats.
The Problem With Waiting “Until You’re Ready”
When you have limited security resources, it’s natural to want to invest them in the best systems and personnel you can afford. As a result, there’s a tendency to put off the implementation of more indirect solutions until further down the line.
The trouble with putting off any form of threat intelligence implementation is that it means making these important investment decisions without access to vital external context. By definition, then, your ability to make truly risk-based decisions is compromised. For example:
- Would a new email filtering tool be more valuable than the latest next-generation firewall?
- Do you need more personnel in vulnerability management or incident response?
- Is social engineering the greatest threat to your organization, or is it malware?
To answer any of these questions, you need access to more than just internal data. And if you don’t have that, your decisions will inevitably be less informed than they could have been.
Which brings us to the number one issue with waiting “until you’re ready” to implement threat intelligence — your existing problems will only get worse.
Over time, your security operations analysts become increasingly overwhelmed by alerts. Your vulnerability management team has to deal with more vulnerabilities every month. Your security leaders are constantly confronted by the need to make decisions, each seemingly more important than the last.
Threat intelligence provides the real-time insights and context necessary to cope with these challenges, and helps security personnel stay ahead of their workload by making faster, better decisions. No matter how mature your security function is, implementing threat intelligence now (rather than later) will enable you to expand confidently and cope with new challenges as they arise.
To find out how you can implement threat intelligence right now, no matter your current level of maturity, read our new white paper, “5 Reasons to Integrate Threat Intelligence Into Your Security Right Now.”