Threat Intelligence for the 99 Percent - Part 3: When Is It Needed?

Welcome to the latest edition of our ongoing blog series, Threat Intelligence for the 99%. This week, we’re looking at the indicators for when you need to implement a cyber threat intelligence (CTI) program.

When thinking about the maturity of a cybersecurity program, I liken it to rollercoasters in your local amusement park: folks must be tall enough to ride the ride. If they’re not tall enough, they’ll be on the sidelines watching while everyone else gets to ride.

So, to even consider having a CTI program, there are certain benchmarks you should reach as an organization. Let’s look at those benchmarks so you can see where you stack up.

The basics for cyber threats and intelligence

When getting started with threat intelligence, you shouldn’t even be thinking about implementing CTI unless you’re already doing the following:

• You can adequately patch your systems
• You have perimeter control within your environment
• You have an anti-virus solution running on your desktops
• You have good, solid multi-factor authentication services going

If you aren’t doing these things, you really don’t have any business jumping into CTI beyond the base-level confidence discussion we talked about in Part 2. This is where you at least have an answer for your CEO when they come asking about the latest attack they saw on CNN.

We’ve also talked about how intelligence equals action on your part. Those very baseline functions within your security environment will serve as a foundation for you to implement the preventative detective and administrative controls required to action the intelligence you come across. If you don't have those mechanisms built and deployable, you can't really action the intelligence. It’s that simple.

The minimum security profile for CTI

So, let’s say you have all the mechanisms and technologies in place to start actioning threat intelligence into your environment. What about people? Is there a minimum security team profile you need to do CTI? It depends on many factors, including what may be important to an individual organization.

For example, a regional bank with 20 local branches and a small security team focused mostly on keeping the lights on: stopping business email compromise, preventing wire fraud and generally taking a risk management approach. They probably meet the requirements to “ride the ride,” but what’s important to them? It may be more on the administrative side and less on the preventative and detective controls core to CTI.

On the other side of the coin, a manufacturing company may look at it differently. A widget manufacturer may only be interested in doing whatever it takes to keep the widgets rolling out. In that case, they could look at a more preventative approach where threat intelligence would generally have more value.

So, what’s that minimum profile for CTI? It’s when you've recognized the value of intelligence and how it can be impactful for your business, or you've also recognized the type of intelligence that you need to consume to meet your core mission. That core mission will vary widely from company to company.

Is there a forcing function for CTI?

If, as an organization, you get to the point where you’re ready to do CTI, chances are you won’t do it “just because.” It’s also not a great idea to start doing CTI just because everyone else is doing it. It’s more likely you’ll have some sort of mitigating event that leads to the introduction of a real CTI program.

Scenario #1: You have a major security event where having threat intelligence on hand would have made a difference. That’s a reactive position—and definitely not one you want to be in if you can help it.

Scenario #2: You may have a brother or sister-type organization that has an event (think other hotel chains after the Marriott Starwood breach) and that leads you to consider how threat intelligence could have played a role.

Scenario #3: A major business event, such as a merger or acquisition, where it’s necessary to understand the risks of the new business. This is a more proactive approach to threat intelligence and one that could be entirely necessary.

Scenario #4: And then there’s the scenario—and the one I consider the least likely—where you simply say, “I want to get better” and try to introduce CTI. There are only so many dollars to go around, especially in IT and security budgets, and trying to make that case to your C-suite without anything beyond “I want to do better” probably isn’t going to fly.

When you do get the go-ahead to try a CTI program, what’s the best approach to take to get it done? We explore that question in the next post.

Want to learn more about how to boost your threat intelligence program? Come see us at RSA Conference at the Moscone Center in San Francisco at Booth S 935 from March 4-8.