Teiss Guest Blogger, Chris Pace, Technology Advocate at Recorded Future, offers some practical advice on how to develop a threat intelligence strategy.
Recent research conducted by SC Media revealed that 46% of security professionals expect threat intelligence to be a core component of their strategy this year.
Threat intelligence is the output of analysis based on identification, collection, and enrichment of relevant data and information. It is a relatively new area of information security: those with services and technology to offer are keen to ensure organisations understand the benefits they’ll see from it.
But as with any emerging technology, the hype occasionally overtakes reality. Businesses need to be pragmatic when it comes to defining how threat intelligence can be applied as part of their information security strategy. And they need to consider which phases of the implementation of a threat intelligence tool will align to their most pressing risks, as well as available resources and existing technology.
It’s a shame that so many organisations view 'threat feeds' as their best opportunity to get started with threat intelligence. The reality is that if producing valuable, contextualised threat intelligence is an organisation’s goal, there is a need for huge quantities of incoming data from varied sources somewhere in the process.
However, there is no need for human analysts to see all this information. A successful implementation of threat intelligence should not simply collate massive streams of threat data. Rather it should provide analysts with only the intelligence they need in order to make proactive and reactive security decisions.
Defining your threat intelligence strategy
To the uninitiated, threat intelligence can be overwhelming. And, without context, it can become an unmanageable stream of alerts.
When defining a strategy to implement threat intelligence, don't just investigate which technologies or vendors are available. Instead, it is better for organisations to begin by considering three key questions:
- Do you understand your greatest risk?
- Which areas of your information security strategy have you already invested in and where do you plan to invest in further?
- How will your human resources impact your implementation strategy?
The answers to these questions will make it much easier to define which operational areas threat intelligence will influence. In addition they will help answer how your organisation’s overall security profile can be enhanced.
It is also useful to consider how the implementation of threat intelligence has the potential to result in greater efficiency, and more effective use of available resources. Such resources include the media, the dark web, online forums, social media, and blogs.
There are recommended best practices to follow in order for threat intelligence to fit within the context of an organisation’s cyber security strategy and architecture. These best practices are made up of monitoring, integration and analysis.
As an organisation starts to build its threat intelligence capability, it’s fairly likely it won’t have the relevant expertise or time to support proactive analysis of threat intelligence.
However, it is still possible for them to gain significant advantages and start to collect information from different sources by monitoring them for content that is relevant to their business. Some of the types of intelligence that they may uncover include leaked corporate credentials, data, and code; visibility of new vulnerabilities; threat trends that highlight potential new risks.
Response to this should then be included as part of the organisation’s information security strategy.
Integrating threat intelligence
Integrating threat intelligence requires organisations to automatically correlate it into their existing security technology and strategies.
Organisations that are already significantly invested in security operations and supporting technologies, can use external threat intelligence in a number of ways to provide context to the indicators they are seeing from internal sources.
This can then lead to great advantages such as: much faster identification of which alerts matter (and which do not); enriched intelligence on uncovered indicators; and more context from more sources than technical threat feeds.
As an organisation’s intelligence function begins to mature, there’s no doubt they will seek ways to proactively identify emerging threats, and more closely examine the trends that pose risks to their industry, competitors, vendors, and supply chain.
Having implemented a strong threat intelligence capability, the organisation will be gathering the kinds of insight that will not only uncover new threats and risks, but also show strategic value.
Creating a business case and measuring ROI
Naturally, implementing a threat intelligence strategy will have required time and money from the organisation. Therefore they will want to ensure their threat intelligence feeds are performing well, and they will want to know how much they’re getting in return. After all, business is business, and nobody wants to pay for something that doesn’t deliver.
Security specialists within the organisation are likely to be convinced of the value of threat intelligence. However, convincing other decision-makers could be a challenge, particularly when it comes to developing a business case and measuring ROI.
Clear thinking from the outset is what enables the development of a powerful threat intelligence capability. To effectively make a business case and measure ROI the following two key steps are essential:
- Firstly, the more clearly an organisation defines and measures the specific areas in which it believes threat intelligence will advance its security profile, the more likely it is to be successful. Businesses should not be afraid of being very specific at the outset as it will help them to maximise value in just a few key areas.
- Secondly, don’t just find a provider, find a partner. For an organisation to develop its threat intelligence capability, it will need to keep adding new goals as it begins to reap the benefits of those laid out initially. A threat intelligence provider who is invested in the success of a business’ efforts, and works with them to uncover new potential use cases, is of far greater value to an organisation than a vendor who simply sees the organisation as another pay check.
Keep it simple
While it’s incredibly valuable to identify malicious traffic (for example) and instantly respond, the true value of threat intelligence can only be realised when taking a more strategic view. The way to do this is to accept that threat intelligence does not have to be hugely complicated.
If an organisation is clear about its objectives from the start, and takes the time to identify the right technologies and providers to help reach them, the daily reality of utilising threat intelligence can be remarkably simple.
In order to achieve this, whatever the implementation of threat intelligence looks like, it must deliver in four key areas:
- It must integrate with and enhance existing technologies.
- It must scour technical sources but also the open and dark web for threats, converting foreign language alerts into a useable format.
- It must provide fully contextualised alerts in real time with no false positives.
- And it must consistently improve the efficiency and efficacy of security operations.
When meeting with providers and beginning to incorporate threat intelligence into a wider security strategy, it is vital that organisations consider all of these areas.
Chris Pace is Technology Advocate at Recorded Future, a threat intelligence company powered by machine learning. His role is to engage and educate audiences on the power of real-time threat intelligence, using his extensive experience delivering security solutions to all kinds of organizations.
Before beginning a career in information security, Chris trained as a Broadcast Journalist and also has worked in IT departments in the public and private sectors.