When I ask customers what aspects of cyber security are frustrating them right now, the topic of threat intelligence comes up a lot.
In many ways, this isn’t surprising; I think ‘threat intelligence’ is possibly the most overused and empty term to have emerged in cyber security in the past five years. It’s become something organisations ‘must’ have, without a widespread understanding within the business of what it is or how it’s supporting security.
In many cases, what a business is calling threat intelligence is simply a plethora of feeds that increases the data available to them but doesn’t add to the intelligence at their disposal. Pressure on scarce specialists increases as the volume of data grows, and frustration builds as the ‘threat intelligence’ doesn’t deliver actionable information. What’s missing is the context around this stream of data and an understanding of what sits beneath it.
Turning automation into a threat intelligence strength
Automation is vital in making the move from commodity to focused and actionable intelligence. By automating the repetitive processes, you’re immediately reducing the pressure on your experts and using your scarce expert skills in the right place. With automation taking care of the volume, characterisation and implementation of high-fidelity intelligence from third-parties, your team will then be working on the higher end of threat development, supporting informed decision making and strategic investment in security controls.
Just one note of caution when setting up automation though: make sure it covers your security estate and controls end to end. Some businesses rely too heavily on the automated consolidation of feeds that have little relevance to their estate or their business. Well-designed automation of threat intelligence must improve focus and relevance and not introduce uncertainty to your security operations.
Applying a sector-specific filter
It’s also essential to look at your threat intelligence through the lens of your organisation’s position. When it comes to threat intelligence inputs, all data isn’t equal. What has hyper relevance to one sector will have little importance to another. Cyber threats targeted around stealing intellectual property mean far more to manufacturers, for example, than they mean to financial institutions. Highly generic threat intelligence simply adds to the volume of data you must wade through to get to anything meaningful. Wherever possible, seek out data that’s contextualised for your industry.
How to establish threat intelligence that’s worth the investment
Turning threat intelligence into actionable information starts with an honest assessment that I break down into three critical steps:
- Determine your intelligence goals and risk appetite
Before you begin to look for threat intelligence sources or providers or establish the remits of your analysts, work out what you’re seeking to protect and what’s your appetite for risk. Carry out a fresh assessment of the information you already have within your organisation: are you leveraging it? What gaps do you have that you need to fill? Your aim is to define a set of goals that you can then match services against.
- Have honest C-suite conversations about your cyber security maturity
There’s no point in having vast volumes of threat intelligence data that you don’t have the skills or experience to interpret correctly. Decide whether you should go down the route of assessing automated feeds in house, or whether you’d be better protected if a managed services provider did the interpretation on your behalf.
- Work out actionable next steps
Plan for what you’re going to do with your targeted threat intelligence, so it doesn’t just become a box you’ve ticked. Formulate clear playbooks that define the actions you’ll take in the light of the threat intelligence to protect your business.
Follow these steps to turn your threat intelligence data into actionable insight.
To find out more about how we can help you get the rich contextualised view you need, listen to Our ‘Evolution of threat detection’ webinar or get in touch.