In reaction to the rising complexity and increased damage of certain cyber-attacks, more enterprises have been turning to threat intelligence as a way to stay tuned to the risks. Last year, Enterprise Strategy Group released a survey that found 72% of organizations planned to increase their threat intelligence programs this year.
Which would explain why it’s so rare for me to speak with an organization that doesn’t have some level of threat intelligence program underway. And they are reaping benefits from their effort.
First, threat intelligence helps organizations better define what assets they have that various threat actors may attack in an attempt to steal, disrupt access or simply dump online. The types of bad actors who would conduct these activities can be vastly different, ranging from common criminals seeking money to activities with a desire to disrupt a business services or call attention to a cause or create embarrassment, to nation states. What these actors attack as a result of their motivations could also be vastly different.
By better understanding asset values, and then mapping security controls and defenses with potential motivations and capabilities of attackers, organizations will have a much better understanding of how well they are investing in and applying their security defenses. When combining such information with external event monitoring, an even greater understanding of the threat landscape arises.
The Second Annual Study on Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, based on a survey of 692 IT and IT security practitioners, shows most organizations believe threat intelligence improves their ability to manage and mitigate cybersecurity risk.
Here are some highlights from that research:
Threat intelligence is essential for a strong security posture. Seventy-five percent of respondents, who are familiar with and involved in their company’s cyber threat intelligence activities or process, believe gathering and using threat intelligence is essential to a strong security posture.
Threat intelligence needs to be timely and easy to prioritize. Sixty-six percent of respondents who are only somewhat or not satisfied with current approaches say it is because the information is not timely and 46 percent complain the information is not categorized according to threat type or attacker.
Organizations are moving to a centralized program controlled by a dedicated team. A huge barrier to effective collaboration in the exchange of threat intelligence is the existence of silos. Centralizing control over the exchange of threat intelligence is becoming more prevalent and might address the silo problem.
Knowing that threat intelligence provides value is entirely different from an organization’s ability to build and obtain that value. In my interviews with enterprises that have done threat intelligence right, and some trying to get there, three important themes are recurring:
Know the assets and IT environment. Know where your critical data and systems reside, as the infrastructure on which they depend to run. How do users interact with these systems? How is the data protected? How well are these systems monitored for intrusion?
Know the controls and security capabilities that are deployed. How are those critical systems protected? If your organization doesn’t have a firm understanding of how security defenses are intended to reduce risks, how they do so, and how effective they are, then the security team is just spinning wheels. Enterprises need a realistic assessment of how well protected they are against specific attacks against specific resources and data. Enterprises need this insight to know not only how well they are protected, but where they need to invest and bolster defenses, and perhaps where they are investing too heavily.
Build an organizational security immune system. What does the human body do when it spots a threat? It delivers an appropriate immune response. What do sensible people do to avoid colds when the weather changes? They respond by dressing differently, perhaps eating differently. Common sense. But organizations build the ability to see external threats changing, or the change of the weather (such as in one’s industry coming under protest) and they don’t build a way to instantly respond.
This is an area where many organizations fail. They don’t build the capabilities they need to respond to the information their threat intelligence gathers. So building incident response teams as well as having lines of communication open to rapidly put in place new defenses based on new threats is imperative.