Published: Aug 23, 2019
secure the perimeter to operationalise threat intelligence
"Effective use of threat intelligence requires a new, integrated security model that will be able to address cyber challenges in this era of digital transformation."
Digital transformation elevates the challenges for cybersecurity as attack surfaces expand with increased connectivity and growing volumes of data flowing in and out of enterprise networks. And to a certain extent, how well organisations manage these challenges and operationalise threat intelligence can be mirrored in where they stand on the IDC Digital Transformation (DX) MaturityScape[1].
In a Singtel-commissioned whitepaper on “Digital Transformation in the Intelligence Economy”, IDC describes, at the one end, “digitally distraught” organisations with DX initiatives that are tactical and disconnected from a larger enterprise strategy. At the other end of the MaturityScape, we see “digitally determined” organisations with DX initiatives are integrated, continuous, and have a transformative impact across the organisation.
In the cybersecurity space, the “digitally determined” are those who are able to make use of threat intelligence in an integrated and continuous fashion to improve risk management efficiency and effectiveness, automate remediation tasks, and establish a central threat management service for the organisation.
However, despite a big push in recent years to set up security operations centres, acquire new threat detection technologies and make better use of threat intelligence, many are still “distraught”. And the main reason is that they are attempting to operationalise threat intelligence across a multitude of point tools and manual processes.
This becomes a problem as the number of data sources continues to grow, together with the sheer volume and increased sophistication of threats that organisations encounter on a day-to-day basis. Without the ability to integrate and consolidate threat data and to automate analysis, organisations will soon reach “alert fatigue”.
So, what are the key steps to take – and factors to consider – when developing an operational model that will enable organisations to make effective use of threat intelligence?
As with DX, the first thing to do is to get executive sponsorship and establish an open dialogue between IT - in this case, cybersecurity - and business leaders within the organisation.
Leaders who define common goals and measure progress with metrics are able to determine acceptable levels of risk that translate into the most efficient deployment of a company’s limited IT resources. They will be able to drive policy-making decisions and ensure that these policies are translated into strong change management processes, disciplined access control mechanisms, and automated authorisation and verification rules.
When building an operational model for security, the business-security dialogue will help ensure that there is executive backing for the integration effort that is needed before organisations can optimise their use of threat intelligence.
The effective use of threat intelligence will require organisations to have centralised oversight of intelligence programmes and feeds, and visibility into who is using the intelligence and for what purpose. This means integrating all the threat intelligence onto one platform to help the organisation to identify redundancies and inefficiencies, and rationalise what is being used, by who, and how.
The operational model will also have to ensure that threat intelligence is delivered at the right time to the right audience. As ESG pointed out in a research report[2], “threat intelligence is only good when it’s relevant, and it’s only relevant when it comes at the right time and provides proper context.”
Good threat intelligence should also simplify decisions on how organisations should respond to threats. And this requires the use of analytics to process threat data into usable information.
A good analytics tool with smart customisation options will be able to identify patterns and zoom in on bona fide threats instead of raising an alert at every flagged keyword. It will enable data to be sorted, filtered and combined to get a more accurate picture of the threats facing the organisation.
ESG cited the example of a piece of binary data like an IP address taken from a threat feed, which might be combined with more information about a rogue domain, a recent sighting of that IP by a honeypot, and a tweet that suggests an attack might have come from it.
“A solution that is able to see the link between these disparate threads will provide far more context, allowing users to make more informed decisions,” it said.
Operationalising threat intelligence, therefore, requires organisations to have centralised oversight of the multitude of data feeds, and strong analytics capabilities to ensure that the intelligence is translated into insights that are timely, relevant and easily actionable. This will make the difference between the “determined” and the “distraught”.
[1] Digital Transformation in the Intelligence Economy: An IDC whitepaper commissioned by Singtel
[2] https://go.recordedfuture.com/esg
Contact us at: g-security@singtel.com