Nobody said Threat Intelligence Would be EasyPOSTED BY RYAN TROST
A new report by the Information Security Forum (ISF) entitled Threat Intelligence: React and Prepare is making headlines with its main finding that 25% of companies surveyed feel that threat intelligence is delivering on its promise. While the findings in the report are all valid, pointing to threat intelligence and crying foul is just an easy scapegoat. Nobody said threat intelligence was going to be easy…it’s hard…really hard for a number of reasons. But it also delivers tremendous value when it’s approached thoughtfully and strategically.
I thought I’d take a few minutes to address some of the findings highlighted in this article about the report.
90% said they would benefit from a single definition.
While most people have an understanding of threat intelligence (whether a deep rooted knowledge or a high-level understanding), expecting a single definition isn’t realistic particularly given its complexity, varying degrees of industry expertise and skills, not to mention the marketing hype. But perhaps the main reason we shouldn’t expect a single definition is because its ultimate objective differs widely – for less mature companies it’s providing situational awareness and for more mature shops it’s providing better situational understanding to validate their own internal intelligence. How you define it depends on what you need to address.
Only 8% said that they can find all the skills required for their threat intelligence capability.|
The skills shortage impacts all aspects of cyber security and threat intelligence probably feels the impact most strongly. In fact, intelligence has been a government and/or military practice and even then a very, very, selective discipline. The government saw a massive exodus as companies poached their intel teams (which was an indirect key takeaway from last week’s AFCEA Cyber Symposium). This led to mainstream companies hitting several early “cultural” hurdles while building intelligence programs because companies were trying to force a cultural uniformity in a symbiotic consensus approach…not typically what ex-military personnel are accustomed to. Ex-military and government folks building threat intelligence programs within the culture and walls of non-government entities didn’t lend itself to optimal policies and procedures.
In addition to the pure lack of skilled professionals is the fact that building a rock solid program around intelligence requires a 2-3 year roadmap with a quarterly re-evaluation. Threat intelligence isn’t turnkey as most companies want – it takes time. With both managers and analysts job jumping at alarming rates, staying on course is a monumental obstacle. The job-jumping speaks directly to the supply and demand of the skilled resources available. Employers are offering significant pay bumps, sign-on bonuses, even large equity stakes to hire the right employees – who are only poached by a larger organization or their friend 10 months later.
Only 7% have achieved considerable integration of threat intelligence into their decision making and none have done so “fully.”
From a tactical standpoint, the industry is just beginning to wrap its arms around operationalizing threat intelligence with some form of understanding and rhythm. Using intelligence to make strategic decisions that align with an organization’s mission statement is likely 12-18 months away.
And finally, only 32% are using a formal process to manage their threat intelligence capability.
No wonder most organizations are failing to find value – being able to detect, respond, anticipate and prevent threats to your organization is essential! From a tactical standpoint, traditionally the security team never really managed the sensor grid tools performing the block/detect/deny functions. This has been more the realm of the network engineers. With threat intelligence platforms (TIPs) and various orchestration capabilities this type of automation is knocking on the door and companies that answer can help to relieve their overburdened, lean staff while strengthening security posture.
Back to the number we started with: 25% of companies surveyed feel that threat intelligence is delivering on its promise. So what’s needed for the remaining 75% to start to get the value from threat intelligence? The first step is aggregating all the data they have into one manageable location and translating it into a uniform format to achieve a single source of truth. Then you can start augmenting it with context so that you can prioritize and use it to better protect your organization now and in the future.