The Real Security Benefits You Can Get From Threat Intelligence
March 13, 2018 • Chris Pace
What’s the first thing that comes to mind when you think of threat intelligence? Most people imagine that it’s the opportunity to “get ahead of attackers” — the idea that powerful threat intelligence will allow you to know precisely when, where, and by whom you’ll be attacked.
And sure, sometimes that really is possible. Hacktivist groups occasionally publish their targets in advance, and might use a predictable set of tactics, techniques, and procedures (TTPs).
But most of the time, this isn’t how intelligence works. Operational intelligence, for example, may not be readily available to an organization that isn’t already significantly invested in threat intelligence and equipped to gather and process intelligence on their own.
That said, this idea of “getting ahead” is a good one. Properly applied, threat intelligence gives you the opportunity to proactively mitigate your most pressing threats, instead of simply reacting to attacks or a stream of incoming alerts. This happens in two primary ways: understanding your cyber risk and increasing efficiency and confidence in your security operations. Let’s look at both in a little more detail.
1. Understanding Your Cyber Risk
Since it’s no longer feasible to make an organization 100 percent secure, the only logical approach to security is one based on risk.
For the average SME, defending against state-sponsored advanced persistent threat groups (APTs) is out of the question. Since the likelihood of such an attack is minuscule, it doesn’t make sense to invest heavily in its prevention.
In the same way, organizations of all sizes across all industries are certain to receive malicious email (phishing) attacks. Knowing this, it only makes sense to invest in a basic content filtering solution.
Of course, prioritizing most threats isn’t this easy. There is the possibility that those responsible for making decisions on security investments will simply react to marketing, industry buzzwords, and newspaper headlines — they start hearing a lot about DDoS attacks, or ransomware, or POS compromise, and their focus is diverted from more pressing threats.
The worst outcome is that these organizations then allocate resources based on fear, rather than knowledge. This is where threat intelligence comes in. A powerful threat intelligence capability can help you identify the specific threats facing your organization, your industry, or your architecture, and prioritize the allocation of your security resources accordingly.
2. Increasing Efficiency and Confidence in Your Security Operations
Threat intelligence shouldn’t only be about adding new processes to your security strategy. In fact, a powerful threat intelligence capability should sit at the heart of your security operations.
The combination of external intelligence aggregated with internal data is potentially a huge force multiplier for existing security processes. Vulnerability management and incident response are particularly good candidates, as they both demand a high degree of context and prioritization to be effective.
Consider incident response. Every day, most organizations experience dozens (if not hundreds) of security incidents, most of which are harmless anomalies. How can you know which should be investigated, and which should be ignored? Threat intelligence can provide the context to answer this question in real time, helping you to respond quickly at the early stages of an attack, rather than having to wait and see which incidents escalate.
Stumbling Blocks to Avoid
Unlike many security processes, threat intelligence isn’t just a tool that serves a single purpose. You can’t simply procure a platform, subscribe to a few feeds, and expect to see real results.
To maximize the value of threat intelligence to your organization, it’s vital that you have a specific use case in mind (one or more problems you need threat intelligence to solve) or you won’t reliably see a return on your investment.
The reason for this is simple. If you don’t know what you’re trying to achieve, the only option is to spread your net as wide as possible. Given the vast quantity of data available to even the most basic threat intelligence products, this approach will only lead to one thing: overwhelm.
In addition, if you lack clarity on what you’re trying to achieve, your security teams will be spread too thin, and won’t have the opportunity to develop the specialized skills necessary to excel in any specific area.
To avoid these issues, it’s essential that you agree on the specific problems your threat intelligence initiative is intended to solve ahead of time. For example, you might want to:
- Identify leaked credentials.
- Prioritize vulnerability remediation.
- Monitor for mentions of your brand online.
- Uncover emerging threats.
- Track hacktivist activity in your industry.
- Study threat actor tactics, techniques, and procedures (TTPs).
Depending on your needs, any of these use cases could be a worthy goal. Given time and a clear understanding of your goals, your security teams can develop the skills and processes needed to consume and utilize relevant threat intelligence.
Going after all of these use cases from the start, however, is a surefire way to overwhelm your security teams. Instead of working proactively to mitigate the most pressing threats, they’ll be forced to react to an unmanageable stream of incoming alerts, with little insight into which are most important.
When seeking out a service or provider, look for those with the expertise to enable your own teams. This will ensure you’re getting the most from your investment and empower your teams as you develop your threat intelligence capability.
To learn about more ways that threat intelligence can benefit your organization, read our “Buyer’s Guide to Cyber Threat Intelligence.” It also comes with an RFP template you can use to be sure you’re asking vendors all the right questions.