In 2015, I conducted some in-depth research around enterprise organizations’ consumption, use, and sharing of threat intelligence (login required). Time and time again, I heard cybersecurity professionals proclaim that their organizations had to do a better job “operationalizing” threat intelligence.
Hmm, sounds like a worthwhile security management goal if I’ve ever heard one, but what exactly does this mean? Some ESG research may be helpful here. ESG surveyed 304 IT and cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees) and asked them to identify their organization’s top threat intelligence challenges. The data reveals that:
- 32% of organizations have inadvertently blocked legitimate traffic as a result of a misinterpreting threat intelligence analysis.
- 32% of organizations indicate that threat intelligence is collected and analyzed by different individuals and groups so it is difficult to get a holistic perspective on external threats or a clear way to equate external threats with internal security telemetry.
- 31% of organizations are challenged by the workflows associated with threat intelligence collection and analysis.
- 28% of organizations say that threat intelligence isn’t as timely or accurate as it needs to be.
Additionally, 26% of organizations claim that many threat intelligence feeds need to be normalized before they can be used effectively.
The ESG data illustrates some common threat intelligence program problems so “operationalizing” threat intelligence must start by addressing these challenges with the following steps:
- Rationalize threat intelligence programs. A wide variety of IT and cybersecurity staff purchase and use an assortment of threat intelligence feeds without any type of central oversight. This leads to high costs and low value. CISOs must start by getting their arms around who consumes which threat intelligence for what purposes. This investigation should expose redundancies and inefficiencies allowing CISOs to rationalize what they buy and how it is used. Enterprises should also think about centralizing threat intelligence collection and processing and then offer it as a service to various security, compliance, and risk constituencies.
- Establish threat intelligence quality metrics. A lot of threat intelligence is nothing more that redundant data on IoCs like malicious IP addresses, URLs, and domains. This information is actually available as open source so there is really no need to fork over precious budget dollars for commodity data. Alternatively, CISOs must decide on quality metrics for threat intelligence in terms of timeliness, relevance, and alignment with their organization’s industry, location, etc. It is also useful to take an “outside-in” perspective on threat intelligence to understand what cyber-adversaries are up to in order to anticipate attacks and plan defenses. Arbor Networks ATLAS threat intelligence feeds, FireEye, and LookingGlass cyber do a good job here.
- Evaluate threat intelligence inputs and output. Normalizing threat intelligence data to make it useful is an elementary but still pervasive problem. This means that organizations need to assess whether they can make threat intelligence actionable in an appropriate timeframe. Standards like STIX, TAXII, and OpenIoC should help. It’s also important to realize that threat intelligence is a means to an end — “hunting” or incident response, so CISOs have to evaluate how well threat intelligence is integrated with analytics systems like SIEM and incident response platforms. The need for threat intelligence integration is one reason why IBM bought Resilient Systems and why Splunk is committed to open-source and standards in this area.
- Build a realistic plan for threat intelligence sharing. While the US government has stressed the need for public/private threat intelligence sharing partnerships, most enterprise organizations are way behind when it comes to real-time ad-hoc threat intelligence sharing. In this case, CISOs should lead an effort that includes IT, legal, and business management to establish a plan for what can be shared and when. The goal? Determine a realistic model for threat intelligence sharing and institute a technology project to make this happen.
There’s a lot to do here and many organizations don’t have the skills or resources for all the necessary steps. Those that fit this description may want to look at threat intelligence platforms like BrightPoint Security (acquired by ServiceNow), ThreatConnect, or ThreatQuotient as these systems were designed to help with all the steps described above.