Threat Intelligence Best Practices for Lean IT Organizations: Part 2

Editor’s note: For cybersecurity professionals, threat intelligence isn’t just about reacting to indicators of compromise after they've already impacted an organization.

In a recent discussion with Black Hat contributing editor Terry Sweeney for their Executive Interview Series, Josh Douglas, VP of Threat Intelligence at Mimecast, explained how true threat intelligence requires a holistic, integrated approach that includes organizational cultural shifts along with technological enhancements.

What follows is an edited transcript of a portion of the discussion. Here is Part 1 of the discussion. You can view the entire discussion here.

Q: You’ve mentioned culture. As every infosec professional knows, that is notoriously hard to change, but yet it is an essential part of improving an organization’s overall IT and security posture. What sorts of cultural shifts and training are important to initiate and encourage here?

A: I think there are two ways we can look at this. One is a strategy you go after based on what you’re trying to get out of it, and one is the tactical item that you approach. Let’s talk about the tactical item first. A lot of times we try to use a stick to beat people into submission around security when we should really be using the carrot. By that, I mean you need to engage people in the proper way, and that gets into the strategic conversation.

At Mimecast, we think of that engagement of culture as involving three things: it’s engagement, it’s knowledge and it’s sentiment. Fundamentally, awareness training today has fallen down because people don’t want to be engaged in it. Often times, as security professionals, if we’re using the stick we’re also not engaging the users either. So, we need to find a good way, be it through humor or some other aspect to get employees engaged.

Once they’re engaged, typically the knowledge will start to increase. And when the knowledge increases, the sentiment will to increase, which ultimately reduces human error. This is something that we’ve taken through the masses of our customers and it absolutely works. That’s when the employees get more engaged and they start to become an extension of the security team. It’s an exciting mechanism to start to change the dynamic around culture.

Q: That seems to map into another shift in strategy you’ve that advocated around asking security teams to try and discern the intent of intruders. How does that work exactly and how does that shift the conversation around security strategy?

A: As security professionals we are often very focused on security, security, security. We don’t think about the business aspect that are at hand. We don’t put ourselves in the shoes of the people we’re working with, let alone the shoes of the adversary that’s going after the people we’re working with for business.

So, we often focus more on attribution when we think about threats, for most companies that’s not going to get them anywhere. They can’t indict those individuals. They’re not going to be able to go and perform some action against them to stop it. What they can do is reduce the likelihood they get targeted by understanding what they’re after.

If I’m a manufacturer and I do some kind of widget for a utility company, more than likely I’m involved in that chain, which means it’s broader than me. It means, thinking about the aspect of, who’s the downstream recipient of this attack? It could be the power company. When you start to think about that, you can form a strategy based on: “What are the most important data elements in my company? How do I retain that? How do I have business continuity should something go awry so that way the fundamental piece that I’m providing does not impact not only me but also does not impact my customer?”

Q: It sounds like you want customers to better understand what their risk is for attack and also what makes them attractive as a target. Once they have a better handle on those issues, what do they do then?

A: They can form that roadmap—that strategic plan—to be able to close some of those gaps. Everything isn’t going to change tomorrow. Any security professional that’s gotten in the door Day 1 can tell you that operationalizing security doesn’t happen instantaneously. Granted, if you have a partner who can provide some kind of platform, such as Mimecast does today, some of that gets shortened, [items such as] the tactical items around threat intelligence, being able to stop malware—they happen much quicker.

So that way, you can start to focus on the most important things inside your company walls. “Should I train the individuals to be more aware of these security problems? Should I go after putting patches on these systems inside my environment because they’re considered a high-value target to an adversary? Should I have a particular engagement model, or even join an ISAC relative to the power or utility industry—or whatever it may be?”

Thinking more broadly, now I have a roadmap that I can go after and I can start to close the gap. What you’ll see happen—and I’ve seen in this first hand—is when you close the gap against the adversary, the attacks will go down and they’ll shift their focus to a softer target. Ultimately, that’s the goal you need to go after, how you make it harder for them to go after you.