Threat Intelligence Brings Dynamic Decisions To Risk ManagementAs enterprises bring threat intelligence feeds into risk management equations, they could gain a greater fluidity in risk-based decision-making
If risk management is governed by the age-old risk equation -- Risk = Threat x Vulnerability x Asset Value -- then it would follow that the accuracy of each of those attendant variables can make or break an enterprise's IT risk management practice. The security industry has done a lot to hone in on metrics that delineate the latter two: CVSS scoring and countless studies measuring the cost of breaches around specific IT assets have helped risk managers better get their arms around that particular part of the equation. The real sticking point has always been the problem of measuring and tracking the threats.
The threat landscape is so mercurial and threats so dependent on dozens of their own variables that finding a way to measure the probability of a threat hitting its mark can seem a bit of a crapshoot. But that's changing as risk management experts start to depend on the burgeoning market of threat intelligence services to deliver enough real-time information about threats in the wild to make more dynamic risk calculations that allow for the kind of fluid decision-making that can more accurately be described as risk-based security rather than guess-based security.
[Wish you could tell your CEO, 'I told you so'? You're not alone. See Airing Out Security's Dirty Laundry.]
"The way we look at it today, it's an important piece of security data," says J.B. O'Kane, principal consultant for risk management vendor Vigilant, of threat probability. "A lot of vendors are providing threat intelligence feeds, and when we look at the larger space of security data and analytics, it's an important piece of the larger risk management equation."
In years past, only the largest and most mature of enterprises could get a decent lock on the frequency and flavor of the threats knocking at their doors enough to base actionable risk decisions on them. Other organizations simply did not see the volume of cyberthreats or have the resources necessary to analyze those threats to develop usable intelligence around trending attacks. As security companies have built up practices over the past few years to deliver that intelligence, risk managers are just now starting to see how they can leverage these feeds.
"I think organizations great and small can benefit from intelligence feeds, if for no other reason than most organizations don't have the time, energy, or resources to plot and set their own research and intelligence initiatives," says Will Gragido, senior manager of the RSA FirstWatch Advanced Research Intelligence team at RSA NetWitness. "They need to be able to depend on a party or multiple parties to provide the insight into the threat landscape that they themselves don't have."
When organizations do it right, they can base their remediation prioritization of vulnerabilities not just on the vulnerability severity, but how that is tied to or paired with threat frequency and severity, O'Kane says.
"Coming up with a threat-vulnerability pairing can help you hone in on a risk-based approach," O'Kane says. "If the feed is coming in saying you're exposed to these threats, you start to narrow things down and turn the threats and vulnerabilities into pairs so that now they're decision nodes. Now you're getting closer and closer to understanding the true risk that you might be exposed to."
Srinivas Kumar, CTO of TaaSERA, agrees that active intelligence will help drive innovation in IT services, improving early warning and remediation of coordinated and targeted attacks. But it will take equally coordinated efforts to actually integrate threat intelligence into the fabric of today's risk management and security ops practices.
"Threat intelligence is basically the vehicle that helps IT to define all of the security controls to the extent that security controls will accept the threat intelligence," he says. "At the end of the day, there are many security controls they're invested in. They need to have something that's coordinating all of these controls together. Without coordinating, it's going to be difficult to deal with active monitoring."
There are other challenges, as well. For example, some threat feeds are better than others, O'Kane says.
"What's a little different is that it's a little closer to the problem or the problem space [than vulnerability or cost of breach information]. It's near real-time, where the information is a little fresher," he says. "Feeds can vary in their data quality. Some are good feeds, some are bad, some have a lot of error built in. Some have a lot of overlap with other feeds, and so removing that redundancy is always a challenge."
Additionally, finding a way to take the data from the feed and turn it into some sort of metric that can be plugged into the risk formula will take work from both vendors and practitioners, O'Kane says.
He says that his firm and others are trying to improve the accuracy of threat scoring, not only offering a score on the severity of the threat, but also a confidence score on the accuracy of that severity.
"So the severity could be, on a scale of 1 to 10, an 8 severity; however, based on our research, our confidence in that severity score could be 60 percent," he says. "When you have more pieces of information for validation that, yes, this is truly a bad site, in fact we've captured some code from that site, that's where you have a higher degree of confidence in that severity score."
As the industry dives further into leveraging threat intelligence to make risk-based decisions, Kumar believes there may even be calls for more standardized scoring, similar to what NIST and MITRE do with vulnerabilities.
"In the same way, NIST or some entity has to expand beyond what they do today with vulnerabilities out to attacks," he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.