To drive an effective security program, businesses need to have visibility into the organization’s threat landscape. But to do this, they need to consume Threat Intelligence. Many security and risk professionals are disappointed in the results of their cyberthreat intelligence efforts.
In an exclusive interview with CISO MAG, Brian Kime, senior analyst at Forrester, explains why users have not reached maturity in the adoption of threat intelligence solutions. He explains the challenges and shortcomings faced by threat intelligence teams. And he offers some recommendations to take the correct approach and tackle these challenges.
At Forrester, Kime is serving security and risk professionals. He covers cyber threat intelligence, vulnerability risk management, and industrial control system security. In this role, he helps organizations identify, assess, and prioritize cyber and physical threats; prepare for emerging attack vectors; and reduce cyber risk in enterprise IT and operational technology (OT) environments.
This interview is basis the Forrester report titled “How to Integrate Threat Intelligence into Your Security Program”.
Edited excerpts from the email interview follow:
Cyberthreat intelligence (CTI) is not a new concept. Where is it today in the maturity curve? How far have organizations progressed in their CTI programs today? What are the challenges and deficiencies?
Vendors are around the peak of the maturity curve while end-users are significantly less mature. The vendors are doing well at deriving insights about cyberthreats from the multitude of raw telemetry they can obtain. However, threat intelligence teams in our end-user organizations are struggling to integrate external data with internal security telemetry.
One of the biggest challenges is the ill-founded notion that end-user threat intelligence teams are to be focused externally only. The value of internal security telemetry to a threat intelligence team cannot be overstated. If an end-user threat intelligence team is being denied internal security telemetry, they are effectively being denied visibility into the threats most relevant to the organization. That internal security telemetry is a primary source of intelligence – direct observations. All that external intelligence (secondary source intelligence) should be acquired to fill in gaps in the intelligence collection plan and to enrich and contextualize internal data.
Tooling available to end-user threat intelligence teams is highly deficient. On the market today there are many threat intelligence “platforms” that most often aggregate external data and disseminate that data to other security controls. I don’t consider these tools to be platforms since they do very little. They don’t help manage intelligence requirements and the collection plan. They don’t provide robust tools to analyze raw intelligence data. They don’t help writing finished intelligence reports or in collecting and analyzing feedback from stakeholders. This is an area where the vendors have shown increasing maturity. Most vendors have built their proprietary tools.
In these uncertain times, businesses need to predict or foresee risks and react quickly to shifts, to minimize negative impact. That requires insights from the organization’s threat landscape. What strategies do you recommend for gaining those insights? What does an organization need to have or do?
Forecasting threat activity is a large objective of a threat intelligence capability. That isn’t so easy, of course. I recommend organizations begin at the tactical level (supporting the SOC and DFIR), then at the operational level (clustering of events, trending data, threat actor modeling), and then produce quarterly and annual forecasts of threat activity.
What’s the importance of strategic threat intelligence in today’s context?
Boards of directors and C-suites – a business’s strategic leaders – are most concerned about reputational and regulatory risk. Cyberthreat intelligence can help identify, track, and assess threats to the brand’s reputation or uncover leaks of regulated data before Brian Krebs reports the data breach.
How does threat intelligence drive cyber risk management processes? Can you give us some business use cases?
We all (or all should) know that risk = threat x vulnerability x consequence. If risk managers lack awareness of the relevant threats, we misallocate resources and controls. Using the SolarWinds compromise as an example, the news around a current threat may drive improper allocation of security resources to detect that once-in-several year’s state-nexus campaign. A competent threat intelligence team can point to their strategic forecast to show all the other more relevant threats and scenarios to devote security resources to.
What are the priorities for a robust threat intelligence program? Why do you emphasize on Internal Security Telemetry?
Identify your stakeholders. Start with the CISO, SOC, and DFIR managers. Then grow your network of stakeholders to include the profit and loss centers. If you are in manufacturing, get familiar with that business unit and learn what business processes a cyber threat could affect. Then develop a collection plan to answer the requirements of those stakeholders beginning with data you already have.
Internal security telemetry is direct observations of threat activity against your assets and information. In other words, your data is primary source intelligence. Everything external is secondary and should be collected to enrich and contextualize primary sources, and to fill in gaps that cannot be answered by internal telemetry. But the best feature of internal security telemetry is that it’s free! You already paid for it!
What are the metrics an organization needs to measure/track its threat intelligence program?
The goals of a threat intelligence program should be to reduce the number and impact of breaches. Metrics like “adversary dwell time”, “mean time to recovery”, “breaches discovered by threat intelligence”, “detections generated by threat intelligence”, and “average cost of breach” are useful.
In summary, what is your best advice for integrating threat intelligence into a security program?
Keep your stakeholders at the forefront of your program. Empathize with their role in the organization. Elicit their requirements and feedback. Then exploit all your internal security telemetry, SOC alerts, and post-incident reports to make sense of your threat landscape.
About the Author
Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 26 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).
