This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
As cyber security threats have become increasingly sophisticated and pervasive, it’s become impossible to identify and defend against every probable attack with traditional security budgets. That’s where threat intelligence comes in. Effective use of threat intelligence is a way for businesses to pool their resources and overcome internal technical or resource limitations. Theoretically, it allows companies to “crowd source” security and stay one step ahead of malicious entities.
But that only holds true if it can be consumed as actionable intelligence. Unfortunately for many organizations, disjointed security solutions and departmental silos have made threat intelligence hard to implement across the organization and consequently, ineffective. Without the means to make threat intelligence actionable, it’s just data. Data won’t save your company from a targeted attack when human analysts are unable to quickly make use of it throughout decision support tools across the organization.
The challenges are two-fold. Technical silos and a lack of cooperation “across the aisle” driven by the fact that actionable intelligence can mean different things to different stakeholders. For instance, cyber analysts, operations managers, incident responders, lawyers, auditors and business risk managers all have slightly different contextual lenses. They don’t have a lingua franca for risk, nor do they measure risk in the same way. However, today it’s more important than ever that organizations find ways to work across silos, break down barriers to success and align stakeholders to better utilize threat intelligence.
There are five common reasons threat intelligence fails today:
While these are all very real challenges, there are some steps you can take right now to begin breaking down silos and enable threat intelligence to flow more freely throughout your organization:
* Identify Integration Opportunities: Depending on an organization’s maturity level and existing technology investment, the first step may be to identify opportunities for tighter technology integration and the automation of threat intelligence feeds. Automating information sharing across stakeholders ensures an organization’s governance rules are followed and removes delays introduced by human operators and processes.
* Find Your Stakeholders: Take an internal census and identify the stakeholders who might have knowledge, data and expertise to facilitate threat intelligence sharing. In addition, identify who might need to consume that information quickly in order to secure critical assets. Without a full accounting of your internal stakeholders, assets and capabilities, it will be hard to get an effective plan in place.
* Uncover Efficiencies: Often the internal census above will reveal duplicate needs for threat intelligence feeds across the organization, allowing for mutually beneficial opportunities for streamlining intelligence sharing. This can be the basis for a larger transformational business case, such as being able to reduce human resource requirements in multiple areas at once, which will be readily accepted regardless of the metrics used to measure success.
* Tap into All Domains: Depending on your organization’s industry, mission, structure and culture, you will need multiple domains/dimensions of threat intelligence to meet stakeholder needs. This means not only sharing actionable intelligence across domains, but also having multiple sources of threat intelligence, or a rating system to score various intelligence sources. Taking action based on bad intelligence could be worse than taking no action.
* Set the Right GovernanceModels: Relatedly, a prohibition on certain actions based on a sole source of intelligence is warranted. Having these policies in place prior to an incident will help guide operations when an organization is under stress. Not all feeds are created equal. Open-source feeds, consolidated feeds and premium feeds should be evaluated against your organization’s mission and scored based on reliability, asset value and overall cost of ownership (subscriptions, platforms, bandwidth, etc.).
In the end, threat intelligence sharing is one of the best ways to ensure your organization can react quicker and make better decisions faster, in response to today’s rapidly changing threat landscape. Don’t wait for a top-down mandate or compelling event to get started break down the walls and create the internal efficiencies you need to get the most out of this valuable resource.