Operationalizing threat intelligence

In 2015, I conducted some in-depth research around enterprise organizations’ consumption, use and sharing of threat intelligence. Time and time again, I heard cybersecurity professionals proclaim that their organizations had to do a better job “operationalizing” threat intelligence. 

Hmm, sounds like a worthwhile security management goal if I’ve ever heard one. But what exactly does this mean? Some research may be helpful here. ESG surveyed 304 IT and cybersecurity professionals working at enterprise organizations (more than 1,000 employees) and asked them to identify their organization’s top threat intelligence challenges. The data revealed:

• 32% of organizations have inadvertently blocked legitimate traffic as a result of a misinterpreting threat intelligence analysis. 
• 32% of organizations say threat intelligence is collected and analyzed by different individuals and groups, so it is difficult to get a holistic perspective on external threats or a clear way to equate external threats with internal security telemetry.
• 31% of organizations are challenged by the workflows associated with threat intelligence collection and analysis.
• 28% of organizations say threat intelligence isn’t as timely or accurate as it needs to be.

Additionally, 26% of organizations claim many threat intelligence feeds need to be normalized before they can be used effectively. 

The ESG data illustrates some common threat intelligence program problems. So before organizations “operationalize” threat intelligence, they must address these challenges with the following steps:

1. Rationalize threat intelligence programs. A wide variety of IT and cybersecurity staff purchase and use an assortment of threat intelligence feeds without any type of central oversight. This leads to high costs and low value. CISOs must get their arms around who consumes which threat intelligence for what purposes. This investigation should expose redundancies and inefficiencies, allowing CISOs to rationalize what they buy and how it is used. Enterprises should also think about centralizing threat intelligence collection and processing, then offer it as a service to various security, compliance and risk constituencies. 

2. Establish threat intelligence quality metrics. A lot of threat intelligence is nothing more that redundant data on indicators of compromise (IoC) such as malicious IP addresses, URLs and domains. This information is available as open source, so there is no need to fork over precious budget dollars for commodity data. Alternatively, CISOs must decide on quality metrics for threat intelligence in terms of timeliness, relevance and alignment with their organization’s industry, location, etc. It is also useful to take an “outside-in” perspective on threat intelligence to understand what cyber adversaries are up to in order to anticipate attacks and plan defenses. Arbor Networks ATLAS threat intelligence feeds, FireEye and LookingGlass Cyber Solutions do a good job here.

3. Evaluate threat intelligence inputs and output. Normalizing threat intelligence data to make it useful is an elementary but still pervasive problem. This means organizations need to assess whether they can make threat intelligence actionable in an appropriate timeframe. Standards such as STIX, TAXII and OpenIoC should help.

It’s also important to realize that threat intelligence is a means to an end—“hunting” or incident response—so CISOs have to evaluate how well threat intelligence is integrated with analytics systems such as security information and event management (SIEM) and incident response platforms. The need for threat intelligence integration is one reason why IBM bought Resilient Systems and why Splunk is committed to open source and standards in this area.

4. Build a realistic plan for threat intelligence sharing. While the U.S. government has stressed the need for public/private threat intelligence sharing partnerships, most enterprise organizations are way behind when it comes to real-time ad hoc threat intelligence sharing. In this case, CISOs should lead an effort that includes IT, legal and business management to establish a plan for what can be shared and when. The goal? Determine a realistic model for threat intelligence sharing and institute a technology project to make this happen. 

There’s a lot to do here, and many organizations don’t have the skills or resources for all the necessary steps. Those that fit this description may want to look at threat intelligence platforms such as BrightPoint Security (acquired by ServiceNow), ThreatConnect or ThreatQuotient. Those systems were designed to help with all the steps described above.