There is a perception amongst many organizations that real, actionable threat intelligence is only within reach of the largest organizations. That is understandable, perfectly reasonable, but entirely wrong.
The truth is that useful threat intelligence is available to organizations of every size and with any budget. Without actionable threat insight it is impossible to stop being reactive – lurching from one security issue to the next.
Intelligence is about knowing your environment, knowing your risks and knowing what is out there ahead of time – it is this insight that allows organizations to focus their efforts and their resources on the right threats at the right time. It is about setting yourself up for efficient, targeted and proactive cyber resilience strategies.
Easily said of course, but where do you start?
To my mind any organization seeking to acquire this vital threat intelligence capability should look at five priorities. The good news is that none of those priorities necessarily require significant investment – all can draw on skills and resources that many organizations already have, but do not make the most of.
Know Your Inventory
Firstly, conduct an inventory of your hardware, software, cloud services and data types to better understand which ones are essential to keeping the business running. That insight will allow you to prioritize not only defense and recovery strategies but, more immediately, the data types that must inform your wider threat intelligence gathering.
Historically, this ‘stock taking’ job has been surprisingly difficult. But now it is much easier because the tools are out there and can provide a pretty reasonable inventory of the gear you have on-premise and the software you're running.
If you don’t figure out where all that data is, and where your risks are, it’s going to be impossible to gather complete, yet focused threat intelligence.
Draw on Insight You Already Have
The next priority is to overlay that inventory with insight you already have around threats and incidents – from malware to phishing - as well as data and knowledge from across the organization. Start by looking at your log files, and if you don't have log files, you should turn them on because that will provide you a lot of useful telemetry.
The marketing team may hold a tremendous amount of competitive intelligence, while your analyst relations people will have data, and your engineering team see things through the application logs that can have tremendous value as threat intelligence.
Look Outside: Get Help
Of course, the internal story is only half the picture. By adding a layer of insight from outside you will build the full picture on which threat intelligence must be built – but that doesn’t have to mean subscribing to a host of expensive proprietary intelligence feeds.
The information you need to understand the threats facing your priority systems and data is often accessible cheaply. You can use open-source threat intelligence that is specific to your industry and technology portfolio. It may not be 100% current, but it’s a start.
Your number one source of inexpensive threat data is your security vendors. For a start, find out which parts of your security stack have intelligence feeds and turn them on. Mimecast, for instance provides the ability to ‘risk score’ employees based on their activities online or in email. Similarly, the Mimecast API offers customers real time access to threat data – what kind of attacks they are facing. All this can be a very useful addition to your data when gathering threat intelligence.
You can go further than that, by tapping into your vendors’ own research and intelligence resources. I have direct experience of doing that when I was the CISO at a moderately-sized business. We needed to understand the nature of the threats we were facing and I leaned on my vendors for that insight, essentially saying, "Hey, you have a research team that I don't have. You're actually much better at this than I am. Please provide me the intelligence I need to stop the attacks that are coming in."
I went from a team of six information security professionals to having a research team of 300 because I had all of these vendors doing a lot of this work for me.
Sharing is Learning
All too often, organizations take a protectionist approach to threat intelligence, but the problem is too big and the threat too great for anyone to see information security as anything other than a collective endeavor.
The key is to share knowledge of attack vectors and risks – first hand or otherwise – with organizations like yours, or those in the same region. That exchange of knowledge makes everyone stronger and it’s surprisingly easy to get started.
Again, I can write from experience. A few years ago, I was a CISO in a large hosting organization, which had just launched into Asia - a region where we had no experience. We didn't really know the threat profile, and we were struggling, being hit at the perimeter all the time. That all changed when a colleague suggested we go along to a free security forum in Tokyo. As my colleague put it at the time, “It’s for CISOs to share knowledge and data, its free, and anything said in the room, stays in the room".
It was incredibly valuable. What I learned was ten times more beneficial than a regional threat intelligence feed would have been. It helped me improve our security posture immensely and the cost was essentially the price of a cab ride to the meeting.
Quite simply, you can’t be an island in this cyber threat landscape, and cybersecurity forums can be very valuable, low-cost sources of intelligence.
Above all Make it Actionable
All this data gathering is for nothing if you cannot act on it.
At the outset, you must be ready and prepared to take that next step, from learning to actually improving your security posture in a targeted way. That means going beyond just grabbing data and looking at it – you have to end up in a position where you’re affecting the security posture of your organization based on relevant insight.
This is where many organizations get stuck. They fall into the ‘resourcing trap’, believing there are not enough specialists in the organization to work out what those actions are, when they should be taken, where and why. Take a look around most security teams and you’ll find smart people with the ability to interpret data. They’re in the security function. This is what they do day to day – and the job may not be as big as it seems.
Remember the inventory work you’ve done to focus and prioritize your data collection? That should have allowed you to collect more focused data, which makes the job of interpreting it a lot more manageable.
Demonstrate Value
Action isn’t only important for improving security, though that is clearly the first priority. It is also important for demonstrating the value of the work to your board. They don’t want problems. They want to know what the plan is.
Here’s a story that I never want to repeat. I was in my first job as a CISO around the time Mandiant was pushing out reports on alleged nation-state actors, and we found some indicators suggesting we were being compromised. I had this evidence and a big shiny report from Mandiant, so I packaged it up and took it to my executive committee. "Look at this,” I said. “We should do something. Here's what the problem is."
I will never forget how the CFO leaned over to me and simply said, "So what?" In and of itself, all that data meant nothing. He wanted to know what it meant for us and what we planned to do about it. I learned a valuable lesson that day about what to share and what not to share – and problems without a ‘so what?’ don’t cut it.
So, there you have it. Threat intelligence is crucial to an organized and focused cyber resilience strategy and it is within the reach of every organization. In fact, most of the raw data you need is already available, often for free. So make use of it – because intelligence breeds action and informed action is fundamental to the dynamic protection strategies that are vital to navigating this ever changing threat landscape.