Today’s guest post was written by Robert M Lee, Founder and CEO of Dragos Security. Robert is a renowned expert in Cyber Threat Intelligence and Industrial Control Systems.
One of the keys to effectively using threat intelligence is knowing what you want out of it and what your organization can reasonably do on its own. As an example, if you want to have a fully capable threat intelligence capability that can equally help keep executives informed and empower enterprise security personnel to be more efficient – you already need to have a mature organization and plan on having a fully operational staff. That staff must be highly trained, empowered, and likely exist in a team such as a security operations center (SOC) or threat operations center (TOC). And even those mature teams seek outside assistance where appropriate.
Understanding and managing expectations in the context of what your organization can or cannot do will ultimately make threat intelligence work better for you and keep you from eventually looking foolish at oversold promises in your organization. This critical evaluation of your organization is all about finding the return on investment you can realistically expect before you spend hundreds of thousands or millions on threat intelligence.
How then do you take that critical look at your organization and determine if you are ready?
First, understand your organization’s security maturity. Threat intelligence is not a magic solution that can be applied to fix bad practices such as the lack of logging. It is the 5% on top that should be applied to security practices that are already mature, thereby squeezing more value out of the tools, people, and processes that already exist. To visualize this consider the Sliding Scale of Cyber Security.
An organization that has yet to invest at the left side of the scale, in areas such as maintaining an architecture engineered for security, will always see a much lower return on investment into categories more to the right such as active defense. Active defense personnel looking to monitor for, respond to, and learn from adversaries internal to the network cannot do this effectively without the architecture and passive defenses that enable visibility into the environment while ruling out the noise of trivial malware that defenders should not be spending time on. Organizations do not have to fully invest in one category before moving to the next one, but it should be understood that investments in the left hand side of the scale directly impact the capabilities of the right hand side. Jumping to intelligence too soon will not solve anything. In any case, each organization must consider the investment value of each component of the Sliding Scale in its own environment. As an example, privately owned companies inevitably receive little to no value from performing offensive actions when compared to the potential value from investments in other areas.
Once an organization understands its own maturity, the next step is to figure out exactly what it wants out of intelligence. Threat intelligence is a term that encompasses countless different formats. Sometimes threat intelligence comes in the form of threat data such as “feeds”, or threat information complete with context and data. More refined intelligence sources are the product of human analysis involving multiple sources of information. Each requires a lot of hard work to evaluate and determine its effectiveness within your security program. Threat data can be great for making passive defenses such as endpoint security solutions work more efficiently and with fewer false positives; but critically evaluating a simple feed and making sure “bad” data is dropped before being sent to your security architecture is still a full time job. Threat information especially needs to be evaluated because the context included with the data can greatly benefit security tools as well as the defenders operating them.
Finally, using threat intelligence to support an assessment of analyzed and competing hypotheses and information is an extremely time consuming process that should help organizations make strategic decisions and not just new security signatures. This means the end usage of threat intelligence is not a technical one, so its evaluation should not simply be “outsourced” to a technical tool.
Where does that leave you?
If your organization is like most, you are still fighting the battles of people and processes to get a firm handle on your passive defenses – if not your architecture itself. Many organizations are now moving toward employing more active defense strategies such as a security operations center but very few are ready to properly integrate a full time intelligence capability. That’s fine.
Organizations can decrease the operating cost of their current operations through using managed services companies with dedicated, professional analyst who spend the time to fully evaluate threat intelligence sources and apply the best choices to the security architecture. This aspect of assistance is a mature choice when an organization can evaluate what they want and determine where they are in their own security strategy. For those organizations that are not even to the point of determining where they are or what they need, they are not yet mature enough to effectively invest in organic threat intelligence capabilities. Make the right choice for your organization to get the most out of threat intelligence.
About the Author
Robert M. Lee (@RobertMLee) is the Founder and CEO of Dragos Security, developers of the critical infrastructure cyber situational awareness software CyberLens. He is a SANS Institute Certified Instructor and course author of ICS515 – ICS Active Defense and Incident Response and co-author of FOR578 – Cyber Threat Intelligence. Robert is also a non-resident National Cybersecurity Fellow at New America and a PhD candidate at Kings College London.