Threat Intelligence Best Practices for Lean IT Organizations - Part 1

Editor’s note: For cybersecurity professionals, threat intelligence isn’t just about reacting to indicators of compromise after they've already impacted an organization.

In a recent discussion with Black Hat contributing editor Terry Sweeney for their Executive Interview Series, Josh Douglas, VP of Threat Intelligence at Mimecast, explained how true threat intelligence requires a holistic, integrated approach that includes organizational cultural shifts along with technological enhancements.

What follows is an edited transcript of a portion of the discussion. You can view the entire discussion here.

Q: Security professionals rely so much on threat intelligence and traditional indicators of compromise to keep users and data safe. Lets’ talk about some of the limitations and challenges there, especially for lean IT organizations.

A: I think inherently when we talk about threat intelligence, we talk about indicators of compromise. That’s really post-breach threat intelligence. Either you have to be compromised or in the process of being compromised. It doesn’t really put the lean-IT ahead of the curve, number one. Number two, it exhibits more noise, which I really think is the larger problem for lean IT, because they’re having to spend time going through that data, analyzing it and responding to it. What you’re finding most of the time is a majority of that data isn’t relevant to the organization or they’re finding it to be benign for them to be able to act on it.

Q: It sounds like resources are a challenge then, which is true for most organizations, whether it’s additional staff, or buying technology, or bigger capital budgets, all to defend and protect. Shouldn’t more money and bigger capital budgets solve this issue?

A: I wish, but if you look at the community today people are talking about resource constraints and it goes outside the aspects of hiring. Because even if I have all the money in the world I may not be able to fix for the broader problem, which means I need to take a different lens on it. If I could put 10s of thousands of people on this problem tomorrow, we may be able to solve it. But ultimately the lean IT doesn’t have that kind of funding in the first place, otherwise they’d have a big team.

Q: Nonetheless, the trend is that malware volumes and the numbers of daily attacks continue to increase unrelentingly. What are smart organizations doing to address this?

A: They are typically finding a service provider that is already consuming all of those indicators of compromise so that way, they don’t have to. The second piece is they’re forming more of a holistic strategy on tightening their belt and doing some of the tactical items they need to do first. But organizations that are a little more strategic in nature are also starting to understand what their risk is compared to their peers, and the difference between inside and outside threat intelligence.

Q: But still, focusing on intrusions and potential malware has its own limitations. If customers try to get a meta view, what sorts of things should they be looking at adding to the mix?

A: Back in my past life when I was a CISO, what I reported to the board was four things—compliance, or, things that I have to do; the commitment I needed from the company; complexity, or, the things I can’t control such as breaches, attacks, etc.; and really the fourth thing was culture. Smart companies are starting to think about the fact that culture plays a large part in this across the board, which means they need to look at their entire community.

Q: You’ve spoken about a strategy that encourages customers to operationalize their IT investment. What does that look like from a practical and a strategic level?

A: The practical means doing the normal things you would expect such as good hygiene. Do I have patching in place? Have I turned my tools on in the right way? Am I using those security features? Have I communicated to my customers? Those are the sort of things that they need to know around security.

Strategic, though, is really going back to the root of the problems. So, if I think about a malware attack, the root of the problem may not necessarily be that I don’t have all the greatest detection mechanisms, because I may. Even if we look at phishing attacks today, some get through the door without any sort of malware and they go solely on social aspects of human anatomy, which means I need extend out the broader aspects of security to the entire community.

I need to make sure they have awareness training, etc. I may even need to make sure they are understanding those complexities, such as if they put their username or password from work inside of a personal account, be it Facebook, LinkedIn, etc., that could come back directly and harm the company.