Getting Threat Intelligence RightAre you thinking of implementing or expanding a threat intelligence program? These guidelines will help you succeed.
The array of startups in the threat intelligence market and the sheer volume of talk on the subject have enterprises racing to implement a solution. Many are placing big bets that subscribing to various threat intelligence offerings will enable them to spot threats faster and thereby minimize the damage and losses associated with security incidents.
This is a tall order, and high expectations have been set by the industry. So it's no surprise that threat intelligence already has a lot of tired and disillusioned followers, as I've discussed at length with CISOs and security practitioners over the past few months. From these conversations, I've concluded that what enterprises need most is a strategic plan to operationalize and automate security based upon actionable intelligence.
Unfortunately, enterprises are often advised that they need to add a lot of new, arbitrary information feeds and sources, regardless of the enterprise's operational maturity and resource constraints. Too often, the result is performance misfires coupled with a damaging loss of confidence in an approach meant to guide continuous improvement.
If you are considering implementing or expanding a threat intelligence program, here are a few principles that can increase the likelihood of success.
Define What You're Trying to Achieve
What's the goal for your threat intelligence program? The primary purpose for threat intelligence is to accelerate incident response so that individual breaches are dealt with before they become full-blown incidents (which are far more costly). If this is your plan, then you need to know where the blind spots are. Can you gather the information you need from your security products?
For example, if your historical product selection was biased toward prevention rather than detection, you may not have the indicators of compromise (IOCs) or indicators of attacks (IOAs) required. You may be in a closed loop where "you don't know what you don't know," because by definition, if a security product failed to block an attack it's probably because it failed to see the attack. If not having visibility into what you missed is your problem, you may need to start by gaining visibility into your network before layering in third-party intelligence.
It's important to stay focused on the most urgent needs first, and effectively optimize the information being gathered. Once you've crossed that hurdle, you can start adding external threat data for correlation with your internal data sources. Small but concrete gains in collection and use are crucial signs of progress and usually prove whether you're on the right track to achieve your objectives.
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]
Only Ingest What Your Systems Can Digest
It's tempting to grab every new threat intelligence feed and dashboard widget. However, if your team and security operations processes are consumed by taking in large volumes of information instead of acting on what they deliver, you're only magnifying the information-overload problem.
Getting to a better place isn't always about adding more resources. Focus instead on the platforms and other tools you use to share information. What formats do they support? How extensible are they? How can you gain value now and optimize operations with these tools today? Can relevant, contextual information be easily surfaced from the tools? Make sure you don't lose important contextual information in transit. For example, some products export full data directly to a CSV file but only deliver some of the contextual information via their API. Others export into PDFs that you will need to parse in order to use the data in an automated system.
Know Your Intelligence Consumers
You need to cater to your audience. These days, senior executives want security metrics (in return for increased security budgets) almost as often as network defenders want faster analysis of IOAs and IOCs. These are vastly different demands, so as the intelligence decision-maker you need to understand your audience. Who are they and what do they need most?
"Reports or It Didn't Happen"
Know in advance how you will measure success in a threat intelligence program — whether that means a few PowerPoint slides to please top executives or key performance indicators for the team. Otherwise, you risk losing perspective. Milestones that show progress are important ways to measure progress toward your objective.
Start with metrics that show how you're improving visibility into your environment, for example, or decreasing lag time in incident-response workflows. Those numbers are arguably the most important, because successful intelligence programs inform, fundamentally, by dispelling assumptions and uncertainty that traditionally plague security decision-making.
Threat intelligence now accounts for significant budget spend in many security operations centers. It holds significant promise, but it isn't a silver bullet. Good luck on your journey!
Vikram Phatak is Chief Executive Officer of NSS Labs, Inc. Vik is one of the information security industry's foremost thought leaders on vulnerability management and threat protection. With over 20 years of experience, he brings unique insight to the cybersecurity problems ... View Full Bio