Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

7/22/2015
10:30 AM
Ryan Trost
Ryan Trost
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Finding The ROI Of Threat Intelligence: 5 Steps

Advice from a former SOC manager on how to leverage threat intel without increasing the bottom line.

During my time managing a security operations center at one of the largest defense contractors, executives would constantly scrutinize security budgets, focusing on the areas of security architecture that could be streamlined. The process typically would lead to one burning question: how can security teams leverage threat intelligence to increase ROI without adding headcount or doubling the bottom line? My answer involved five key steps:

Step 1. Develop Key Performance Indicators (KPI)
Every successful security program needs metrics and KPI’s to measure against and report back to their organization. To implement a successful KPI program for threat intel intake, you’ll need to:

  • Deconstruct the team’s mission statement and map KPIs to the key elements (admittedly this is easier said than done but builds a critical foundation).
  • Decide which threats are really affecting your organization and which you can ignore. Cutting through the noise will save your security analysts time.
  • Evaluate each provider and decide which are providing you with solid, fast, and reliable information that you can map back to each quarter.

Step 2. Continually evaluate and reassess threat intelligence providers
There are no silver bullets in the cybersecurity industry and the same is true in the world of threat intelligence. If you’re looking for a one-size-fits-all approach, you’re viewing the problem in the wrong way. Here are the questions you need to address:  

  • Is there overlap among threat intelligence vendors and communities?
  • Which sources cater to your defensive tools?  (If a provider hands you 6 million malicious IP addresses do you have the tools to operationalize them?)
  • Which threat feeds are complimentary?
  • Which providers distribute intelligence that overlaps with attacks your team has investigated?

Step 3. Prioritize alerts to efficiently utilizing security analysts’ time
Instead of seeking out the latest and greatest technologies to add to a roster of network protections, enterprises should identify new ways to effectively leverage the tools they already have. The security information and event management tool is the perfect example. It correlates trillions of events creating alerts, but analysts become submerged by the sheer number because there is little to no true prioritization. However, if teams efficiently integrate threat intelligence feeds with their SIEM, analysts could significantly improve alert prioritization and jumpstart analyst triage investigations.

Skilled analysts are in short supply and high-demand! It can take a massive amount of resources to find, hire, and retain a qualified security analyst. Worse, and one major downfall I’ve frequently observed, is the misuse of security analysts’ time and expertise. Organizations have the tools to properly defend the organization but their analysts are stuck performing manual tasks rather than focusing on bigger picture solutions and processes.

Step 4. Foster collaboration between ALL analyst teams
Too often analysts sitting shoulder-to-shoulder (let alone across the room or building) don’t effectively collaborate on indicators, malware techniques, victimology, etc. And no, the answer isn’t having another daily standup meeting. Instead, make it easier for security analysts, intelligence analysts, malware analysts, incident responders, and signature/content engineers to talk to each other across geographic locations through tools like HipChat, Sococo, or Skype, and coordinate semi-annually onsite meetings to build relationships. Similarly, encourage analysts to collaborate with peers within like-minded communities outside of the organization.  Join local security cohorts rather than wait for RSA and Black Hat every year to share threat intelligence over a few beers.

Step 5. Pilot threat intelligence providers before buying
Many organizations pull the trigger on selecting a provider after reading two or three sample intelligence or malware reports -- the provider’s “golden child” of reports. But that isn’t a good day-to-day representation of what the providers’ publish. I recommend asking for a 30-day evaluation period where you can evaluate:

  • When the threat information is released and figure out which time is most efficient for your organization;
  • How valuable are the reports in relation to industry threats and are they relevant to your organization;
  • The volume of data published and whether the data is easy to consume and push out to your security infrastructure;
  • If the threat feed helps cut down on security analysts’ time and ability to consume the information.

At the end of the day, you need to choose a provider that you and your organization trust. If there isn’t mutual trust at the beginning of an engagement, the relationship will be rocky forever.

Ryan Trost is the CIO and co-founder of ThreatQuotient. Prior to ThreatQuotient, Ryan was Senior Director, Cyber Intelligence Solutions Architect at SRA International and SOC Manager at General Dynamics, where he led the information technology and security teams. Ryan is an ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulienOrmidal
100%
0%
JulienOrmidal,
User Rank: Apprentice
7/30/2015 | 4:45:56 PM
Analytics
Hi,

Thats a really interesting article. For me it would be more than 5 steps but you did a good resume of how it is hard to really prioritize and deal with analytics issues. For me thats the real challenge for companies and government to deal with Big Data and analytics for the next 10 years atleast...

Julien
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...