Threat Intelligence for You 5 Ways to Prove Value

Editor’s Note: As part of an ongoing series, Threat Intelligence for You, we’re asking thought leaders in the Cyber Resilience Think Tank their thoughts about threat intelligence, how they define it and what place it has in today’s enterprise business landscape.

This week, we’ve got Part 2 of a conversation with Gary Hayslip, Vice President and Chief Information Security Officer of Webroot, a provider of Internet security for consumers and businesses based in Broomfield, Colo. and Dublin, Ireland. Here’s Part 1 if you missed it.

For more information, download the latest Cyber Resilience Think Tank E-book, Threat Intelligence: Far-fetched idea or Must-have Security Tactic? How Every CISO Can Make it a Priority.

Why do organizations tend to withhold threat intelligence information? What are the consequences of not sharing, and the benefits of sharing?

I believe it is the fear of leaking sensitive information that can result in legal or regulatory sanctions against the organization. It is also because of the damage to the organizations reputation and having to admit they had an incident and now they must manage the fallout.

The consequences of not sharing information is that typically you are not the only business that was targeted. I have seen over the years that wide swaths of businesses in specific industries get targeted together and if no one ever shares information then how can the industry can protect itself and get better as a community.

The benefits are the information that can be shared anonymously will help the organization protect itself and be more resilient when incidents do occur.

Do organizations tend to rely on third-party security vendors to perform cyber threat intelligence? What are the pros and cons of relying on a security vendor to perform this function?

Most organizations that are mature enough to start using cyber threat intelligence will use multiple sources. There is no one source that has everything that a company would need, what is crucial is to have several good sources and the ability to aggregate them and implement them into the organizations security stack.

One of the cons is the threat intelligence may be narrowly focused on a specific product, service, industry etc. and it may be in a proprietary format. The pro is the CTI tends to be current and specific to technologies you have in your security stack.

What are the pros and cons of performing threat intelligence in-house?

Pros: Data is contextual and specific to issues you have had before which means your staff are familiar with them.

Cons: It may not be current because it’s past tense data and if you have changed technologies and updated specific security solutions it may no longer apply to the organization.

What steps can lean enterprise organizations take to make the transition from having a security vendor perform threat intelligence to doing it in-house?

Belong to an information sharing organization, many of them are industry specific. One example is the Financial Services Information Sharing and Analysis Center, known as FS-ISAC. It is an industry forum for collaboration on critical security threats that is used by the financial services sector. As a member of such a collaborative forum the CISO could get alerts on current security issues, access to current threat white papers and peers that can speak about best practices to remediate identified concerns.

What are five steps small-to-medium sized enterprise organizations can take to prove the value of threat intelligence with little (or no) budget or resources to dedicate?

1. Conduct an inventory of all hardware, software, cloud services and data types to better understand which ones are required to keep the business running. Use this prioritized list to establish a data governance program, prioritize which vulnerabilities need to be remediated first and create/train your incident response and business continuity teams with a focus on the items in your prioritized list.
2. Start maintaining an incident database of internal issues from phishing emails to malware infections. Keep this up to date and over time the CISO can use it for analysis to see what issues are common to improve his/her security stack and improve training for employees to better prepare them for security incidents.
3. Some businesses may operate in industry verticals that are designated as critical, so with this designation CISO’s can request access to threat intelligence feeds and security services not normally available to public companies – see DHS Enhanced Cybersecurity Services (ECS) for more information.
4. Use open source CTI that are specific to your industry and technology portfolio with the understanding that it may not be current, but at least it’s a start.
5. Turn on some of the basic CTI feeds/services within your security stack. Keep a log of all the malware and threats that are blocked/remediated so you are able to show over time the amount of bad traffic that is removed and the types of malware that is being used to target the organization.