Cyber Threat Intelligence Analysis:
What You Need To Understand To Defend Enterprise Security from Cyber Threats, Hacktivists, and BotNets.
The article, "Tech Insight: Practical Threat Intelligence," emphasizes the value of advanced threat intelligence and some of the issues IT organizations face in trying to complement their operations with a threat intelligence analysis capability. I'd like to expand on the discussion and offer a perspective on how IT security organizations should look to address this capability in the future.
What it boils down to are the three E?s - "Expertise, Efficiency and Excellence of Delivery." I would argue that as IT security organizations look to add advanced threat intelligence data collection and analysis capabilities, they should consider how well their organization can achieve the three E's internally.
IT security leaders must evaluate the expertise they have on staff to be able to collect, correlate and analyze data across a large number of outlets in order to identify the subtle anomalies that may indicate an attack and risk to their organization. The question of expertise is a matter of the presence of the following elements in your organization skills, people and research.
IT organizations need all three elements to have the proper expertise for a competent network threat intelligence capability. "Skills" is simply that one or more of your staff have the proper skill sets to accomplish the task. "People" refers to the actual allocation of staff time to the task. "Research" involves the ability of staff to research and stay on top of a changing threat landscape (including actors, methods, tools, analysis of malware, etc.) in addition to the focus on creating threat intelligence that matters most to the organization. Both parts of research are needed to understand the bigger picture and how that picture relates to your organization and its security operations.
If your organization is missing any one of the elements, then you likely lack the proper expertise to build and maintain a threat intelligence capability internally.
Any effective cyber threat intelligence capability requires constant vigilance on a 24X7X365 basis. IT security leaders must consider how any insourced threat intelligence capability can meet this requirement and attain additional efficiencies over time. A primary driver for IT security has always been efficiency producing greater productivity using the same or fewer resources. This driver will certainly be true for any threat intelligence capability as data volumes continue to grow, IT security threats become more complex, and management looks for greater reporting on the latest security threats and security risks over time.
Efficiency often boils down to priorities. An internal network threat intelligence capability will require a high and sustained commitment. Just like firewall, IPS/IDS and other security capabilities, maximum uptime of any threat intelligence capability is critical to identify, prevent or prepare for an attack before it reaches your network edge. Any lack of commitment and resources that reduce vigilance and fails to meet the 24X7X365 requirement will reduce the operation's efficiency and effectiveness.
Along this discussion, if any internal capability is lean to begin with in terms of people and budget, I would argue that the capability's capacity to drive efficiencies over time is less certain. If efficiency is less than certain, then the longevity of the operation is questionable at best and is not likely the right approach.
Why is efficiency so important?
Because efficiency is bottom-line oriented and a key measure for determining if you should source internally or externally. For instance, if the loss of a single employee can weaken or even shut down the organization's intelligence capabilities, then outsourcing will make much more sense. The same is true if competing IT security priorities interfere with the dedicated efforts of an IT security staffer and erode the integrity and consistency of threat intelligence delivery.
Excellence of Delivery
From a threat intelligence perspective, excellence of delivery should be measured by how timely and actionable the security threat report intelligence is for your organization. "Actionable" suggests that the intelligence assessment information has been analyzed with clear guidelines or recommendations for action. If threat intelligence, whether created internally or sourced externally, lacks either of these two elements, the threat intelligence has little value for your organization in terms of cyber threat intelligence.
What we hear
From our conversations with many IT security leaders and information security professionals, we frequently hear about the desire to establish some type of forward operating capability in order to have visibility into developing it security threats before they reach the edges of their networks. This is where intelligence threat assessment plays a significant role in arming IT and IT security with advanced knowledge of imminent information security threats and the actors behind them.
We believe this is a growing trend as organizations accept the implications of a changing cyber threat intelligence landscape whereby more sophisticated actors pose a disproportionately greater risk than a multitude of commodity-attack actors using common, previously identified tools and techniques.