Threat intelligence is a critical organizational need

Cover story: Continuous threat intelligence collection, analysis, and optimization can help organizations improve cybersecurity measures.

By Anil Gosine, MG Strategy+ April 13, 2018

Cybersecurity managers face many challenges, with corporate boards demanding awareness of cyber risks, faster processing of complex data, and efficiently managed services for an increasing number of intelligent devices. Security teams are in a better position to defend their organizations against threats if they take the proper preventive measures. Tools and staff need to be augmented with threat intelligence.

Threat intelligence is no longer just for large, well-funded organizations. It is now required to be an overall component of mitigation strategies for all businesses that operate within this evolving technological environment. Small businesses are able to access credible threat intelligence sources that can be based on an organization’s profile and supply chain. Critical data that used to be in a secured data center now moves across an increasingly complex ecosystem of networked environments including the Industrial Internet of Things (IIoT), Internet of Things (IoT), cloud servers, virtualized environments, and mobile devices.

Cybersecurity and threat intelligence

The rate of change in some enterprise environments is so rapid many organizations struggle to keep pace with the evolving nature of cyber threats or have the ability to stay tuned into the threats that arise. To build an effective cybersecurity strategy, an organization needs to be aware of specific cyber threats and understand how those threats impact the organization.

Threat intelligence provides context, indicators, increased awareness, and actionable responses about current or emerging threats. This is designed to aid in decision-making at an operational, tactical, or strategic level. Cyber adversaries are using more sophisticated tools, techniques, and procedures that evade stand-alone security plans. Organizations need an evidence-based, holistic view of the threat landscape with a proactive security posture to defend organizations from a wide array of potential threats.

The goal behind threat intelligence services is to provide organizations with the ability to become aware, recognize, act upon attack indicators, and comprise scenarios in a timely manner that better protect against zero-day threats, advanced persistent threats, and exploits. Security teams across the world are challenged to discover, analyze, and interpret the vast number of daily events to discover attacks. Security consortiums are leading efforts to automatically detect, contextualize, prioritize, perform forensic analysis, automate compliance, and respond to incidents go beyond security information management to security threat intelligence.

Facility owners should define what they hope to achieve from threat intelligence; including:

  • Types of alerts needed
  • Vendor news
  • How intelligence is collected, reported and communicated to relevant stakeholders
  • Analysis process
  • How threat intelligence would be used.

Threat intelligence feed

An analysis identifying the organization’s needs through an internal assessment of the organization’s processes, infrastructure, requirements, ability to manage threat intelligence and security posture should be performed. Customers should compare the data feed and capabilities, alerts and reports, relative subscription prices and support offered by providers.

Threat intelligence feeds are becoming a dominant method as an intelligence gathering process for organizations that are developing their threat intelligence capability. These feeds provide a major benefit of combining intelligence into a single source that is easy to digest. The real-time nature of threat intelligence feeds is critical, especially when integrated with security information and event management (SIEM) platforms to allow for automatic comparisons of other feed entries.

Most organizations lack the resources and maturity in their security platforms to take advantage of threat intelligence feeds, which should evaluate the threat information against internal vulnerability assessments to allow for better prioritization of security controls.

A threat intelligence platform should prepare a defense for the organization. Combining threat intelligence capabilities to an organizations’ software, hardware, and policy defense strategy enhances the staff’s ability to search for advanced attacks, profile atypical malware, and detect potential adversaries. Typical internal threat intelligence teams have been deployed and structured in a way that is costly, hands-on, and misaligned to the organization’s security posture.

Customers should work with their provider to improve subscription offerings, selected offerings, technical indicator feeds for integration, specific summary reports on events and emerging cyber threats, trends within the various business sectors and ensure that it is aligned to a long-term vision with integrated processes, and business requirements. 

Too few cybersecurity professionals, tools

The industry still has to address the growing shortage of skilled cybersecurity professionals, isolated security products, lack of integration with other devices and management tools, lack of funding, and inadequate correlation of threat data. Companies must be mindful implementing programs to avoid the typical failings such as not integrating threat intelligence into the enterprise platform, consuming but not sharing data, manual processes becoming a burden, no real-time data to provide security awareness, and lacking contextualized information.

In a global environment where cyber attacks are generated at a machine level, customers must ensure the identification, sharing, comprehension, and application of threat intelligence is as automated as possible. An automated platform allows for easy access to the intelligence and the ability to contextualize and prioritize attacks for immediate mitigation strategies. Effective intelligence assesses intelligence from various sources and source types to create a better threat and risk image for an organization.

The value to end customers is not the quantity of the various intelligence feeds, but the applicability of those feeds to their entire environment. The ability to customize dashboards and filters to continuously illustrate threats allows security teams to focus on threats that impact the organization. The threat intelligence market offers different types of information feeds that are not necessarily aligned to any industry or large manufacturer installed base. Though intelligence platforms must be recognized as a critical component to cybersecurity, organizations must define their high-level requirements, functional requirements, and visibility requirements.

Through collecting continuous threat intelligence, analysis, and optimization, organizations can increase their protective measures and strengthen their security tools. Significant and beneficial trends for cybersecurity in the following areas include:

  • Threat awareness over the past 5 years, has risen from 25% to 75%. Companies have realized that cyber attackers had the advantage of knowing more about their networks than they did and are now becoming more proactive.
  • The percentage of organizations that have formalized in-house/out sourced teams to address threat intelligence has risen from 25% to 45% over the past two years.
  • The overall level of satisfaction with various threat intelligence elements that companies use is approximately 73%. This may be skewed as some may not understand what they are not receiving from other threat intelligence.

The industry also is making progress as data science and machine-learning models are delivering entirely new ways of looking at threats; this has the effect of avoiding the dependency of seeing the threat previously to provide security. Data science and machine-learning models can evaluate the traffic based on the collective knowledge of all internal and external threats previously to ascertain discrepancies that may become threats. According to recent research including reports from Statista and IDC, it’s estimated that global external threat intelligence services spending is expected to increase to over $1.6 billion by the end of 2018.

Anil Gosine is a global program manager at MG Strategy+, a CFE Media content partner. Edited by Emily Guenther, associate content manager, Control Engineering, CFE Media, eguenther@cfemedia.com.

MORE ANSWERS

KEYWORDS: Threat intelligence feeds, cybersecurity

The importance of threat intelligence feeds

Implementing a successful mitigation strategy against cyber attacks

Consider this:

How would implementing a threat intelligence feed improve your organization’s defense against a cyber attack?