Threat Intelligence for the 99% - Part 4: What Approach Do You Take?

Welcome to the latest edition of our ongoing blog series, Threat Intelligence for the 99%. We’ve already looked at several aspects of cyber threat intelligence (CTI) programs, including indicators on when an organization is ready to implement one.

This week, we’re looking at the right approach to take to formulate a plan for a CTI program.

Referring to what we talked about last week, any organization that’s ready to do real threat intelligence has already determined that they’re “tall enough to ride the ride.” So, now what do you do?

There are generally three approaches you can take in launching a CTI program:

1. You outsource it.
2. You build it.
3. You do a hybrid of those two approaches.

Outsourcing threat intelligence functions

The first place to start for most organizations is to consider outsourcing. Your primary outsourcing mechanism when it comes to CTI is your existing security vendors. Do a little research into what they have. If one of them has a firewall with an intelligence feed you can subscribe to, you should consider buying that first. It’s a good place to start and you’ll better bang for your buck.

There is debate in this industry about the efficacy of these feeds. But the reality is, if you just need to do something because you have a need or you have an event of some kind, your best place to start is with an outsourced feed from a vendor you’re already using. It's better than doing nothing.

The next step up would be establishing a relationship with a Managed Security Service Provider (MSSP) to perform the threat intelligence function. The MSSP should perform due diligence around what your risks and needs are, and then curate all the data up and send it to you for you to action.

Because you’re doing this and paying for it on top of your existing vendor relationship, you’ll want to do a little bit of due diligence yourself on the team that’ll be performing these critical functions for you. It's important for you to understand the capabilities of the researchers developing the intelligence on the other side.

Any good MSSP that's doing this will be more than willing to provide you redacted CVs of the researchers that are on the staff. They want you to feel comfortable, and they what to shine and highlight that. If they're unwilling to do that, run away.

If you do feel comfortable with the capabilities of an outsourcing staff, you’ll also need to ensure you know how they’re deriving their intelligence and what it is you’re getting. If they’re just taking open source information and packaging it in what they sell you, that’s something you could do yourself. You want a service that provides additional enrichment for the data that’s unique to you and your risk profile.

And lastly—you want to know how often, and how fast, you can get information from that third-party source. If there’s a threat and your CEO wants a report on their desk Monday morning, you need to know how fast that MSSP can get that information to you. Your CEO isn’t going to care where it comes from, they want the report.

Building your own threat intel functions

This is not for the faint of heart. The “build it yourself” approach takes a serious amount of effort and investment if you’re starting from scratch. There are two main components to this approach: the intelligence factory, and the production side.

The factory is the machine to build the data, with consumed feeds, cross reference feeds and enriched feeds. Then, on top of that, you have to produce the intelligence so you’re making sense of what you're gathering from the factory.

The heavy lift here is certainly the factory part given all the coding and resource work that must go into it. I’d say it’s about 80% of the work. But you cannot underestimate the production side that makes up the other 20%. That’s where it’s key to have the right people in place.

You need people with the background in intelligence. You cannot give the average network engineer the task to produce an intelligence factory and then drive that to action. It’s not the same. An intelligence mindset is not a technology mindset; don’t underestimate the difference.

Intelligence professionals are hard to find and even harder to keep:

• Many have military or law enforcement backgrounds.
• They’re in high demand, especially in areas such as the financial sector where they can be part of intelligence teams with as many as 300 people.
• They’re expensive to hire.
• They want to solve interesting problems and do interesting things.
• And if they don’t find what you’re doing interesting enough, they’ll get bored and move on.

So, my caution would be to think long and hard before deciding to go out and build your own threat intelligence program from scratch.

The hybrid threat intelligence approach

Finally, let’s look at how to do the hybrid approach. The way to combine the “outsource it” and “build it” approaches to CTI is to use outsourced feeds but to leave the operational action piece in your environment.

In this approach, the vendor you’re using for outsourcing will collate all the data and information they pull in from their feeds and they’ll provide you a report. It would be up to the people in your organization to then turn that into actionable intelligence.

If you don’t have the resources, the hybrid approach is a difficult one to succeed at. If for example, there is a security event, you would lack plausible deniability if you had the data that could have stopped it in hand but you didn’t do anything about it. In this case, you would have been better off fully outsourcing those services.

Next time, we’ll begin our in-depth look of how to build your own threat intelligence program.

Want to learn more about how to boost your threat intelligence program? Come see us at RSA Conference at the Moscone Center in San Francisco at Booth S 935 from March 4-8.