More on operationalizing threat intelligence

Coming out of Black Hat a few weeks ago, it’s pretty frightening what’s going on with cyber threats. Overall malware volume is down, but the number of variants has gone up precipitously. In fact, according to the Webroot threat report, about 97 percent of all malware variants are seen only one time. In other words, they are designed to target and attack specific organizations.

Yes, enterprise organizations are bolstering defenses with anti-malware gateways and next-generation endpoint security tools, but they are also doubling down on threat intelligence. According to ESG research, 27 percent of enterprise organizations plan to spend significantly more on their threat intelligence programs over the next 12 to 18 months, while another 45 percent say they will spend somewhat more on their threat intelligence programs during this same timeframe.

Spending more on threat intelligence programs is a good start, but it isn’t enough. Security operations professionals consistently tell me they have to do a better job of operationalizing threat intelligence to make it more effective at their organizations. OK, but what does that mean? Turning raw threat data into measurable actions and results.  Based on what I’ve heard from cybersecurity professionals, this involves four steps:

1. Consolidating all threat intelligence sources. When you perform a threat intelligence assessment, you find that it is being purchased and consumed all over the place—within security technologies, by threat analysts, by risk and compliance managers, etc. As a result, many organizations don’t know what threat intelligence they are paying for or whether they are buying redundant threat intelligence from multiple sources. To overcome this situation, CISOs should start with an enterprise-wide threat intelligence audit with the goal of discovering all threat intelligence and then pointing each and every feed at some central location and group of analysts. This sets up the opportunity to create a hub-and-spoke consumption model for threat intelligence across the enterprise for all needs.
2. Focus on threat intelligence requirements and quality metrics. Too many organizations continue to buy threat intelligence without any clue of its value. In fact, 74 percent of enterprise organizations lament that it is extremely difficult or somewhat difficult to determine the quality and efficacy of each threat intelligence feed. Given this situation, it is important for CISOs to start by defining detailed requirements for threat intelligence and establishing threat intelligence metrics to determine threat intelligence ROI. This may take a while, but patient organizations will reap rewards by replacing commercial threat intelligence with equally valuable open-source, rationalizing threat intelligence sources to a manageable few and choosing the best threat intelligence for their organizational needs. 
3. Build an architecture for threat intelligence inputs and outputs. Too much threat intelligence is either proprietary or consumed on a manual basis, and this doesn’t scale. Enterprises need an architecture that encompasses threat intelligence collection, processing, analysis and sharing. Fortunately, there is some industry progress here, including threat intelligence standards (i.e. Open IoC, STIX/TAXII, Yara, etc.) and the maturation of threat intelligence platforms from vendors such as BrightPoint Security (i.e. ServiceNow), LookingGlass Cyber Solutions and ThreatQuotient. It’s also important to integrate threat intelligence with SIEM systems (i.e., Splunk) for analysis, as well as incident response platforms (i.e. Hexadite, IBM, LogRhythm Phantom Cyber, Rapid7), to orchestrate and automate remediation actions.
4. Create a threat intelligence sharing plan. Everyone shares threat intelligence, but they tend to do so on an informal basis with a few organizations or individuals they know and trust. That’s a good start but not anything like the loosely coupled, ad hoc, threat intelligence sharing vision being pushed by the industry and U.S. federal government. Scaling threat intelligence sharing means getting lawyers and executives on board, implementing tools to automate data redaction, normalizing threat intelligence into a consumable format, and adding technologies for threat intelligence exchange. There’s lots of work to do here, as threat intelligence sharing is far less mature than threat intelligence consumption.

I’ve seen efficient and effective threat intelligence operationalization at work, and it includes all four of the steps I’ve outlined here. In lieu of this, many threat intelligence programs will result in incremental progress as organizations continue to throw good money after bad.