In many ways, this isn’t surprising; I think ‘threat intelligence’ is possibly the most overused and empty term to have emerged in cyber security in the past five years. It’s become something organisations ‘must’ have, without a widespread understanding within the business of what it is or how it’s supporting security.
In many cases, what a business is calling threat intelligence is simply a plethora of feeds that increases the data available to them but doesn’t add to the intelligence at their disposal. Pressure on scarce specialists increases as the volume of data grows, and frustration builds as the ‘threat intelligence’ doesn’t deliver actionable information. What’s missing is the context around this stream of data and an understanding of what sits beneath it.
Automation is vital in making the move from commodity to focused and actionable intelligence. By automating the repetitive processes, you’re immediately reducing the pressure on your experts and using your scarce expert skills in the right place. With automation taking care of the volume, characterisation and implementation of high-fidelity intelligence from third-parties, your team will then be working on the higher end of threat development, supporting informed decision making and strategic investment in security controls.
Just one note of caution when setting up automation though: make sure it covers your security estate and controls end to end. Some businesses rely too heavily on the automated consolidation of feeds that have little relevance to their estate or their business. Well-designed automation of threat intelligence must improve focus and relevance and not introduce uncertainty to your security operations.
It’s also essential to look at your threat intelligence through the lens of your organisation’s position. When it comes to threat intelligence inputs, all data isn’t equal. What has hyper relevance to one sector will have little importance to another. Cyber threats targeted around stealing intellectual property mean far more to manufacturers, for example, than they mean to financial institutions. Highly generic threat intelligence simply adds to the volume of data you must wade through to get to anything meaningful. Wherever possible, seek out data that’s contextualised for your industry.
Turning threat intelligence into actionable information starts with an honest assessment that I break down into three critical steps:
Follow these steps to turn your threat intelligence data into actionable insight.
To find out more about how we can help you get the rich contextualised view you need, listen to Our ‘Evolution of threat detection’ webinar or get in touch.