Cyber is the sexy part of security, but it should be threat intelligence
Speaking at the Context Oasis event in London, Stuart McKenzie, senior investigative consultant at Context said that the problem with threat intelligence is everyone thinks everyone else is doing it better than they are, but he said that doing threat intelligence properly can give you a good profile of an attacker and “stop the basic stuff”.
He said: “Threat intelligence will give you information on what you do not know about, allow you to build up protection, outline potential exploits and the capability and motivations of an attacker and help you figure out whether or not they are nation-state sponsored.
“You have got to get a rich picture of how the environment changes. It is about getting intelligence into the business, to educate the board, but it has got to be timely, it has got to be relevant and actionable and got to make the metric positive, otherwise it is useless.”
McKenzie bemoaned vendors who claim to offer threat intelligence, saying that all they offer is Big Data and that to understand it “you have to sift it, you don’t just pull mud from the ground and expect to find gold”.
He said that people in security will not know what the key assets are, but as security people we need to engage with the business. The COO should know where the crown jewels are and by melding this business intelligence with threat intelligence we can stay one step ahead of the attackers.
“You can combine intelligence to see where the attacker is and it stops the business wasting its efforts on defences,” he said. “Threat intelligence is used to defend, as you have to stay one step ahead and use threat intelligence to build knowledge.”
McKenzie pointed out that the Target data breach ended up costing the company $161 million in losses and adding new technologies because of a weak security posture. Boards should be asking security managers if they are doing enough to protect data.
Asked by IT Security Guru if he felt that businesses were doing enough on threat intelligence, Context’s head of threat intelligence Mark Graham said it differs from sector to sector, but that financial services and oil and gas were good at this, while Government is “where it does happen”, but other sectors are not too organised.
“There is nothing formal in place, but individual businesses are very open with active exchanges and it starts out at a good level, but they know that they cannot do it all themselves and this is recognised in the intelligence community,” he said.
McKenzie said that the work of the Cyber-Security Information Sharing Partnership (CISP) shows that the importance of sharing is a good idea, because if no one is talking about attacks, then sharing ensures everyone knows about them.
Rob Sloan, director of response at Context has produced a whitepaper to accompany the presentation