Threat Intelligence for the 99 Percent - Part 2: Why is it Important?

Welcome to the second installment of our blog series, Threat Intelligence for the 99%. In this series we’ll dive deep into all topics surrounding threat intelligence, what it means and how to approach it depending on the needs and resources of your organization.

In this first post, Explaining the Issue, we showed you a series of definitions to set the table for how any organization—regardless of staff, budget or technical security expertise—can approach cyber threat intelligence.

This week, we’re examining a simple question: why is cyber threat intelligence (CTI) important in today’s cybersecurity landscape? There are two main umbrellas under which we will explore this question: the area of defense and the area of confidence. Let’s start with defense.

Defense as a threat intelligence driver

Threat intelligence is all about action. What action will you take to respond to the threats you’re getting in your environment? Getting an indicator of compromise about, for example, a suspicious or threatening IP address will need to be actioned in order to be doing real threat intelligence.

Types of security controls

In general, there are three types of primary controls you can use to turn data into action for threat intelligence purposes.

Preventative control. This control could involve taking that known bad IP address and loading it into your security apparatus to stop any bad action before it happens. That means nobody in your environment would be able to access that IP address while it’s in your security apparatus.

Detective control. In this control, for example, you’re letting that bad IP address through because you aren’t sure of the quality of intelligence you possess in your systems, or because you know that IP address is only going to be bad for a short period of time.

When organizations put in this type of control, they monitor the bad IP address and manage the outcomes of this intelligence. It’s all about the ability for the organization to react—good, bad or indifferent.

Administrative control. These are more strategic and operational controls, and often aren’t directly technical. It can be as simple as hearing, for example, that an adversarial foreign government entity is dropping USB sticks all around your company’s parking lot and issuing a directive asking people not to put them in their laptops.

Threat intelligence is part of the ground work for the control implementations you need to actually protect your environment, and that’s why it’s a key component of any defensive strategy.

Confidence as a threat intelligence driver

As a Chief Information Security Officer (CISO), a lot of security-related questions you’ll get from your CEO will be due to something they saw in the news. There might be a high-profile breach, a new strain of malware out there wreaking havoc on networks worldwide, or some other cyber catastrophe. And that inevitably leads to the question:

“Is this going to be a problem for us?”

And if you don’t have a good answer, the next question might be:

“What did I hire you for?”

These executives want confidence in the security program they’re paying for and to make sure you’re taking an adequate view of the risk to the business. They want you to have a finger on the pulse of the cyber threats that could impact their bottom line. They’re trusting you to do this and if you aren’t, they may rethink whether you’re the right person for the job.

In some cases, you may need what I call executive eye candy to show what’s going on. This is data that may come out in different reports that either you or third parties generate showing different threats, but truthfully these don’t have value to be placed within preventative or detective controls. It could have a place in administrative controls but that’s a stretch.

It’s more about driving confidence in your program and the abilities of you and your staff members to keep up in the adaptive threat.

Defense and confidence together for threat intelligence

So, what’s the right blend for your organization?

If you don’t have a mechanism to feed threat intelligence into your security gear, then most of what you do will be confidence-based, because you’ll need an answer the next time your CEO sees something on the news about the latest ransomware strain.

Mature programs have a blend of defense and confidence tactics because they’ve ingrained those security practices into their organization. That’s the place you want to be, and that’s why it’s important to build a threat intelligence program. You simply can’t be caught flatfooted both by the attacks you could see and the questions you could get from higher-ups.

So now that we’ve explored why having a program is important, it’s natural now to ask: when is the right time to implement a CTI program? We’ll look at that question next week.

Want to learn more about how to boost your threat intelligence program? Come see us at RSA Conference at the Moscone Center in San Francisco at Booth S 935 from March 4-8.