The 3 elements of a sound threat intelligence program
Because every organization has different security needs and requirements, there is no one-size-fits-all approach.
For most organizations, securing operations, networks, infrastructure, applications and data remains a major challenge. As the headlines regularly prove, a determined attacker can break through even the best defenses.
To give themselves an edge, many organizations set up threat intelligence programs. These programs help cyber security teams and business leaders evaluate their overall risk posture, uncover where they are most vulnerable, and figure what steps they can take to better protect themselves from an ever-evolving and increasingly sophisticated threat landscape, said Fleming Shi, CTO of Barracuda Networks, a provider of cyber security products and services for email, networks, data and applications.
“I’ve seen a lot of threat intelligence programs that are just about … pretty reports or some metric [such as] how many attacks we have seen on our website,” said Shi. “That’s usually the beginning of it. A successful threat intelligence program is to not only see the signals but have a plan to execute to fix any problems or remediate a situation. If you’ve got a ransomware attack, how to pull out a playbook and execute it.”
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Because every organization has different security needs and requirements, there is no one-size-fits-all threat intelligence program. Instead, good programs are driven by outcomes, not inputs. They focus on security not as a series of discrete events such as deploying a piece of software or subscribing to a threat intelligence feed to update allow/deny lists on a web application firewall, but on how to improve an organization’s overall risk posture and responses.
To do this effectively includes having the right tools in place such as anti-virus software installed on endpoints or deploying a security event and information management (SEIM) system to collect and correlate alerts but also the human intelligence to make sense of what all of these systems are saying about a given threat or unknown activity on the network. Humans need to set the rules to make sure the cyber security applications and platforms they do have in place are doing the right things right.
“Humans have to be the orchestrator, building the workflows, understanding the steps because, if you think about automation, you can’t give all the decisions to them,” said Shi. “The decision to make that call is something that a human has to design to a workflow. Then also make sure there’s reversible capability. If there’s a problem, how to shut down the automation quickly so you can take over.”
Shi said a successful threat intelligence program has three critical elements:
It is imperative to continuously update and take inventory of the data that are feeding threat detection and response systems. Data should come from all the systems that represent potential attack vectors such as:
Public cloud Infrastructure
Network equipment in branch offices
Corporate-issued and employee-owned devices
Dark Web monitoring feeds
Other data feeds representing external threats, allow/deny lists, and other indicators-of-compromise signals.
Include data from employee and customer files, financial, regulatory, legal, and cyber security operations data. Software source code, both for internal applications and, given the severity of the recent SolarWinds hack, software supply chain code, as well.
SEE: Security incident response policy (TechRepublic Premium)
The next step is to build a unified model that uses data from all of these sources. This requires data aggregation, normalization and correlation, as well as the tools necessary to acquire all the data efficiently.
Use threats reports and intelligence feeds from outside sources like purchased lists, ISACs, fellow CISOs, published reports and the like.
“This will help especially those zero-day [and] advanced persistent threats and any targeted attacks,” said Shi.
Delivering actionable outcomes
The goal of the threat intelligence program isn’t just visibility but improving the ability of security teams to take action by empowering cyber teams with the analytics tools they need to cut through the noise. Security teams also can use these tools for targeted and customized cybersecurity awareness training.
“It’s also important to note that if building your program is too hard, I would suggest working with an MSSP [managed service security provider] to get the same result,” said Shi. “And it’s essential to stay very involved with the MSSP for visibility of the entire program. Measure outcome regularly in both build and hire options. It may include pen-testing your digital assets and your users.”
A successful threat intelligence program has many benefits beyond just keeping your data, applications and users safe. They include:
A stronger brand
Improved confidence in business deals
Improved business continuity
Mitigating damage and enabling faster recovery from attacks.
Editor’s note: This article has been updated to reflect that IOC refers to indicators-of-compromise signals.