Cyber threat intelligence or CTI is touted to be the next big thing in InfoSec. But does it narrow the security problem or compound it?

Matt Hartley, Co-Founder and Chief Product Officer, BreachRx

October 22, 2014

2 Min Read

sensors. Multitudes of open-source and commercial data feeds dump bad IP addresses and other unevaluated indicators into your environment via machine-to-machine consumption leaving security teams to sort it all out. Even feeds delivering indicators with reputation scores are barely information that will leave security personnel wondering if a "71" is really bad, or the difference in risk between a "99" and a "94."

Cyber threat intelligence needs to include much more than raw data and information. It requires rich contextual knowledge that can only be created with the application of analysis, or it’s not really intelligence. Contextual knowledge includes an understanding the past, present, and future methodologies of a wide variety of adversaries. It incorporates the contextual linkage between technical indicators, infrastructures, tactics, techniques and procedures (TTPs), campaigns, and the motivation and intent of adversaries who are employing them and information about who is being targeted.

Cyber threat intelligence starts with solid data and information gathered through collection, research, and identification of real threats from ongoing monitoring of malicious groups and actors from within the global threat ecosystem. Without contextual analysis, there is no support for the decision making process pointed to by both the FBI and Gartner as the core value of intelligence. Human analysis empowered by and infused into technology automation enables the creation of timely and accurate intelligence. Intelligence that is specific, vetted, and also rich in context and actionable can inform real severity of alerts, can help on incident response, can improve decisions on how to prioritize and respond to an existing or emerging threats, and can even inform the development of a security strategy to proactively invest in control that address real threats to your organization.

So as you approach the adoption of cyber threat intelligence, consider three things:

1. Capturing more event data and fusing it with mountains of raw data and feed information will necessitate a dedicated team of analysts to sort through it;
2. If you plan to conduct intelligence analysis in-house, you’ll want to look for partners who have the human skills -- including global cultural knowledge and presence to extend your reach;
3. If you are not planning on hiring a dedicated intelligence team, be sure to look for partners that provide real intelligence.

In the end, more data and information will only overstress technologies, exacerbate false positive alerts, create even more work for people who are probably already overloaded, and create a dilemma about what security teams should prioritize. Clearly, providing a dump of raw data into an already strained organization doesn’t help to narrow the security problem -- it actually compounds it.

About the Author(s)

Matt Hartley

Co-Founder and Chief Product Officer, BreachRx

Matt is Co-Founder and Chief Product Officer of BreachRx, a dynamic incident readiness & response platform enabling organizations of all sizes to reduce the risk of impacts from data breaches and privacy incidents. He is a 20+ year innovator in cyber security, threat intelligence, cyber warfare, and information operations. Prior to BreachRx, he was a Senior Vice President of Engineering at FireEye and Vice President of Product at iSIGHT Partners, where he held a variety of other leadership roles. Matt previously served in the US Air Force in the Air Intelligence Agency and Air Force Information Warfare Center. After leaving the military, he led research and development teams creating disruptive and next generation cyber and information security, cyber warfare, and information operations technologies at Sytex Inc. and Lockheed Martin's Advanced Technology Labs. Matt holds a CISSP and a Bachelors and Masters in Computer & Systems Engineering from Rensselaer Polytechnic Institute.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights