It seems that right now, everyone is talking about threat intelligence. Nearly every security vendor wants to get in on the action and the majority of security operations groups are either being told by their management to get on board with it, or they’ve attended various security conferences and realised they need to add threat intelligence into their security program.
That said, the questions most security operations groups always come back with, though, are: What should I get? How do I use it effectively and ultimately, how is it going to help me?
I’ve been in threat intelligence and security operations for most of my career; first with various military, government and intelligence organisations, then as a co-founder of iSIGHT Partners, and now with ThreatQuotient as VP of Strategy. I’ve worked with threat intelligence since before it was cool, helping numerous early adopters around the globe to understand what threat intelligence is and how to use it within their organisations.
In my experience, a threat intelligence platform that’s worth its salt has the potential to help organisations in three key areas, which are to communicate more effectively, focus resources more efficiently and manage risk more successfully. These are by no means the only areas of your security strategy that will feel the benefits, but here’s my quick take on why they are my top three:
Improve communication
At some stage, every CISO or SOC manager will be asked by management, concerned about the latest hack: What do you know about it? How does it affect us? What are we doing about it? A solid threat intelligence strategy provides you with a means of being proactive and ensuring that you’re on top of your cyber security, so that you’re in a position to answer these questions before they are even asked. Leaders also want a way to answer these questions in business terms and let management know what you are doing as a security operations group. Effective threat intelligence gives you the information you need to change the conversation from “we blocked a million events this month,” to “we stopped ransomware attacks which would have cost the company $2M.”
Focus resources
On a network, there are only three things security operators need to deal with; noise, nuisance and threats. You need to filter out the noise (blocking it at the perimeter or detecting it and automatically remediating), focus on threats (the real gotchas that can negatively impact shareholder value) and determine if a nuisance is actually noise or a threat and deal with it accordingly. An effective threat intelligence platform helps organise the threats and provide the information you need to isolate what really matters. It provides a means of automatically filtering the noise while also enabling threat intelligence enrichment through an analyst workbench to understand and address the nuisances. In short, a good threat intelligence platform lets you operationalise your approach to cyber security.
Manage risk
Once you are using threat intelligence to improve communications and focus your resources, you can start diving into risk management. A threat intelligence platform lets you take a more strategic view of the business critical assets you need to protect, the threats that are targeting these assets and the ways in which they are going about it, and the countermeasures you have in place. From there, you can figure out your risk gap and turn that into a strategic discussion with the board about accepting, transferring or mitigating risk, and the investments required.
As VP of Strategy at ThreatQuotient, it’s my responsibility to ensure that our platform, ThreatQ, meets these requirements and helps organisations to strategically implement threat intelligence. Moving forward, I’m convinced that threat intelligence will be a deciding factor in the success of many cyber security strategies and it is vital that organisations are staying ahead of the curve by actively looking at how they improve communication, operationalise threat intelligence and manage risk. I therefore think we will be hearing a lot more about threat intel and seeing adoption accelerate over the coming few years.
For any security operations groups who are interested in finding out more about threat intel, I am speaking at NIAS’16, NATO’s annual cybersecurity conference on September 7th and 8th in Belgium. I will be leading the plenary session, ‘Cyber Threat Intelligence: From Feeds to Action,’ as well as a workshop on intelligence-driven security operations programs and how these can become proactive, anticipatory and adaptive. To learn more about our work at ThreatQuotient, email [email protected].