Threat Intelligence for You: Challenges and Advantages
 

Editor’s note: Threat intelligence. It’s been one of the most talked-about themes in the cybersecurity space for years now. But what does it mean to you, and what can it mean for your organization?

In this blog series, Threat Intelligence for You, we’re asking thought leaders from the Cyber Resilience Think Tank their thoughts about threat intelligence, how they define it and what place it has in today’s enterprise business landscape.

This week, we’ve got Part 1 of a conversation with Gary Hayslip, Vice President and Chief Information Security Officer of Webroot, a provider of Internet security for consumers and businesses based in Broomfield, Colo. and Dublin, Ireland.

For more information, download the latest Cyber Resilience Think Tank E-book, Threat Intelligence: Far-fetched idea or Must-have Security Tactic? How Every CISO Can Make it a Priority.

What is “Threat Intelligence? (Cyber Threat Intelligence)”

This first question may seem basic, but I have found many businesses don’t truly understand Cyber Threat Intelligence (CTI) or its value. CTI is a collection or grouping of information that is gathered from sources both human, electronic, internal and external to the organization. This information is typically processed through some type of evaluation to verify its validity and is used to provide context about conditions necessary for a threat to exploit a vulnerability and if the threat is actively being used by threat actors.

Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets.”

For those new to CTI, this means that for threat intelligence to apply to your organization, (i.e. to have “context”, your organization should have deficiencies that this information would apply to.) Examples of deficiencies are such issues:

• Immature security controls
• Unpatched or misconfigured hardware/software assets
• Undocumented business processes

These deficiencies are basically vulnerabilities, targeted for a unique exploitation and as I am sure many of you know, every organization and its networks have deficiencies. It is the CISO’s responsibility to understand these concerns, have visibility into the risk they place on the company and through the use of strategic services, such as CTI, prioritize what needs to be remediated first.

How has cyber threat intelligence evolved over the last five years?

Over the last five years as artificial intelligence (AI) and machine learning (ML) have matured as core components for different security products what you have seen is a shift from just blacklisting IP addresses to blacklisting the behavior of packets while they are live in transit on the wire. With the rise of cloud and being able to leverage it for cheap computing and storage— and then coupled with AI and ML—you can now do deep data analytics and trend analysis in almost real time which has made threat intelligence real and contextual.

It is data that can be actionable and applied to technologies and issues that your organization may have. In essence, it is no longer a broad swath of data but a finely-tuned stream that can be specific for your organization.

Now, to answer the question about if companies are equipped to make the data actionable and apply it, I would say many of the SMBs are not, they are trying to do basic hygiene, and this would be a more mature security control for them. This would be a service they may contract for through their MSP or MSSP.

Cyber threat protection is a tactic, is threat intelligence a tactic, too?

I would say it is, to me the use of CTI is a mature process that assists CISOs and security teams to better deploy their security controls and prioritize which specific deficiencies should be mitigated first. Without using CTI, you expend more resources and time and you will miss issues that will leave your organization exposed to business impacting risk.

What role does Cyber Threat Intelligence play in an organization’s security function?

I look at it as a security control enhancement. Through the use of CTI I can train my staff on incident response that pertains to our infrastructure, services and applications portfolio. I can also make better use of limited resources by focusing them on immature issues of high risk, and I can use CTI to educate my executive staff and provide context into our current risk baseline and the adversaries that may look to interrupt our operations.

When performing Cyber Threat Intelligence, what are some of the biggest challenges facing small-to-medium sized enterprise organizations?

Staff, budget, and expertise/skill set. All of these will be issues in one way or another. Organizations can get CTI for free through information sharing organizations, but real-time contextual CTI tends to be services that you need to pay for so there are budget issues. If you do get the resources to get this type of CTI then you run into the problem of having staff that understand the strategic worth of this data and how it can be applied to provide value. For lean organizations I would suggest just starting with paying to turn the CTI feeds on within your next-gen firewall and your endpoint detection and response (EDR) solution.

These can be automated and just go with that for some basic coverage and then later as the organization and its security program matures look at other initiatives where this information can be leveraged to protect the organization and its business operations.

Despite these challenges, how can organizations use what they already have at their disposal (i.e. historical incidents, data patterns, etc.) to perform actionable threat intelligence?

Internal threat intelligence is information that is already within the organization. It is information that an organizations security and operations teams have from previous experiences with vulnerabilities, malware incidents, and data breaches. This information, if properly documented, can provide the business with some meaningful content on how their enterprise networks were compromised and if there were any recurring methodologies that worked against the deployed security program.

This information, for most organizations, will probably be collected in some type of log management system or SIEM platform. If this information on incidents can be collected and used to properly document a history of cyberattack paths, malware, vulnerabilities etc. it can provide invaluable insight into security gaps that can be remediated or help the company identify business processes or legacy issues that need to be addressed to prevent further compromises.