How helpful and realistic are threat intelligence implementations?A report by The Enterprise Strategy Group (ESG), revealed that several enterprises have implemented a security intelligence program, and 43 percent of surveyed respondents rated their program as ‘very mature’. However, there are a number of shortcomings in these programs, which makes the expectation that deploying threat intelligence alone is the answer to security threats unrealistic. Some of the shortcomings are as follows:
- IT is not integrating threat intelligence programs into enterprise collaboration, communication and other IT workflows. Therefore, they aren’t giving themselves the capability to benefit from knowledge in supply chains and vertical communities, or to access what’s going on at the backend to identify data relevant to their environment and context.
- More focus is being placed on consumption and less on sharing. With the bad guys focusing on the latter, organizations need to facilitate sharing of threat intelligence to effectively protect enterprise users and infrastructure. Sharing threat intelligence on all types of risks can help reduce vulnerabilities and keep larger threats at bay.
- In most enterprises, threat intelligence programs are hamstrung by manual processes. Security professionals in these firms spend a lot of time collecting, processing and pasting data, as well as transforming it into different formats – there’s not much reliance on tools that automate the rest of the IT landscape.
- Organizations are also lacking actionable intent in their programs. IT teams neglect providing additional context of threat indicators that have been brought to attention, whether from another user or an intelligence feed. This scenario means there’s no extension of the information; therefore, companies may miss out on making quicker and alternative decisions. To make threat intelligence actionable, organizations should receive it in real-time and combine it with security awareness.
- Lastly, security teams are looking at data feeds with raw, unfiltered information. For intelligence, they need this information to be sorted and evaluated by expert intelligence analysts, so that actionable advice can be generated about an existing or emerging threat. Rich contextual information can be created by human analysis of the past, present and future indicators.
What could be a good threat intelligence implementation?To break the silos and make threat intelligence run smooth throughout the organization, IT needs to adopt a robust approach towards collecting, analyzing, and acting on intelligence as well as translating it into common language for sharing. While models can vary, the following components are commonly applicable in deployments to develop intelligence capabilities.
1. Setting up the intelligence proceduresThis will be the foundation of whatever your goal is with threat intelligence. The complex nature of threats require organizations to have procedures in place prior to incidents in order to guide operations during periods of stress. Consolidated, open-source and premium feeds should be measured against your company’s goal to evaluate their ROI. Mature organizations will also filter data to extract relevant indicators and then cross-reference them across multiple systems.
2. Building threat profiles via analytical frameworksWhat is the modus operandi of the adversary? Depending on your organization’s industry and security structure, you will develop frameworks which can be used to spot malicious patterns and consider viewpoints of adversaries. A threat profile could then be generated in the following manner:
- Actor: What do you know about the individuals that can conduct attacks on your organization? The answer to this question will drive subsequent analysis.
- Victim: What is it about your enterprise that makes it a potential target for data breaches and hacking attacks? Are you more likely to be attacked than your enterprise counterparts?
- Data importance: What is the perceived risk of data assets you want to protect? How are they being protected currently?
- Location and time: Where are data assets stored? How are you protecting them? Are they stored only in virtual form or also in physical form? Are these assets more vulnerable at certain times (such as on the weekends)?
3. Choosing the right technologyNow that the threat profile has been identified to best suit your organization’s need, you can move over to selecting the right technology to leverage threat intelligence across your data and network environments. There should be variety of solutions available, some with their own services, feeds and databases built in. The final choice should integrate with your security infrastructure and SIEM system, whether the focus is on protecting cloud, big data, or mobility systems.
4. Integrating the use of intelligence into your core processesA good implementation requires intelligence to inform core business decisions without any interference. However, enterprises don’t follow this approach, which means they may not have a bird’s eye-view on threats that could impact critical business decisions. What they need to do instead is align the intelligence technology with formal decision making to facilitate dynamic resources decisions. Senior and law-enforcement oversight is also important for larger transformational business cases.
5. Automating threat intelligence sharingThreat sharing won’t be effective without technology that automates the process. With several threat intelligence exchanges facilitating automation, enterprises at their own end should focus on developing processes that link with these exchanges to get a more comprehensive view of threats. However, you should have some rules that standardize the conveyance and expression of threat intelligence sharing. Having these rules will allow automation of sharing processes (without any issues), even when relying on disparate tools.
ConclusionImplementing threat intelligence effectively demands a large-scale evaluation of your security standing. Since it requires seamless access to data flows across networks and devices, organizations need to break down their reactive walls to create external and internal efficiencies and get the most out of this resource.