Enterprise Orgs Say they Have a Lack of Threat Intelligence Information
Welcome to this week’s blog, where I’ll dive deeper into the Top 10 Cybersecurity Challenges enterprise organizations face, as found in our recently released Cybersecurity Insights Report 2022: The State of Cyber Resilience.
Coming in at number nine on our “Top 10 List of the Challenges Cybersecurity Professionals Face” is the Lack of threat intelligence information.
I gotta admit, when I first saw this on the list, I was scratching my head, as I’m sure any cybersecurity professional might be. But as I sat back and thought about it, it made more sense.
There’s no shortage of threat intelligence data out there, whether it’s from open source or third-party feeds. In fact, I assumed most organizations were suffering from information overload as they’re inundated with data. What they may lack is RELEVANT intelligence information specific to them.
What do I mean?
Well, we’re all suffering from information overload. When I go to ESPN, I don’t want to see all of the scores, I want to see the scores I care about. I want immediate access to my teams so I can be angry about them. (NY Giants and New Jersey Devils, I’m looking at you.) ESPN enables me to pick and choose my favorites so that I can make my experience relevant to me.
Which is similar to what organizations need to do. When security teams log into their dashboard, they don’t want to be hit with all the threats. They want to see the potential threats most relevant to them so they can take quick action. And they want threat intelligence to be operational so that it can be made actionable to inform security teams.
So, what needs to be done?
First, let’s define Threat Intelligence. Threat Intelligence (TI) is the collection of raw data about threats and vulnerabilities that is then transformed into actionable intelligence. Effective threat intelligence programs help organizations detect and respond to cyberattacks before they cause harm. Organizations that fail to invest in TI as part of their security programs risk being blindsided by new threats or vulnerable to existing ones.
Intelligence vs Information vs Data
One of the reasons organizations might be struggling is that there might be some confusion between data, information, and intelligence, especially if they’re managing threat intelligence manually. Let’s start by trying to outline the differences.
The main differences between data, information, and intelligence come in two forms: volume, and usability.
Data is a collection of individual facts, statistics, or items of information, usually available in large quantities, it describes specific and indisputable facts.
There is a subtle difference between data and information. Data are the facts or details from which information is derived. Individual pieces of data are rarely useful alone. For data to become information, data needs to be put into context.
Information is created when a series of data is combined to answer a simple, straightforward question. Let’s use hockey goalies as an example. An individual goalie’s save percentage is one piece of data. Let’s say you’ve used six goalies this year, each with varied save percentages. The average save percentage for the entire team can be derived from the given data. Note that although this output is more useful than the raw data, the GM still might not know exactly what to do with it.
Intelligence takes this process one step further by interrogating data to tell a story, or in the case of the Devils, figure out who the number one goalie is or if they even have one. Intelligence does not set out to answer a simple question, but rather it tries to paint a picture that helps people answer complex questions.
Why is Threat Intelligence Important?
Cyber threat intelligence is a critical component of any security strategy. Organizations open themselves to business risk and tend to make poor cybersecurity decisions often due to a lack of relevant information. These decisions are rarely realized until disaster strikes. They are hit with cyberattacks, burdened with massive fines, or forced out of the market by a competitor. Fortunately, many cybersecurity threats can be prevented by having the right cyber intelligence or threat intelligence tools in place.
Where Organizations Are Struggling
Organizations are struggling to take advantage of threat intelligence because they often don’t know where to start or how to effectively incorporate TI into their security operations.
They’re constantly facing an overwhelming amount of data from adversaries being generated and created every second and chasing false positives. New threats are constantly emerging and come from a variety of different sources and formats. When it comes to handling huge amounts of data, there should be a plan in place in dealing with this amount of information. Otherwise, Security Analysts are going to strain resources by searching through log data manually or using insufficient tools.
Taking that leap from understanding to actually doing something can be daunting. Many companies struggle with operationalizing threat intelligence because they don’t know how to use it effectively. It isn’t enough to just know about cyber threats from various threat feeds and resources. Threat intelligence needs to be deployed quickly and continuously so that security tools and security personnel can use it to investigate attacks, detect the presence of malware in their networks, respond more quickly, and continuously improve their network architecture.
Using a Threat Intelligence Management Platforms
The Forrester Tech Tide™: Threat Intelligence, Q2 2021 recommended organizations look into intelligence management solutions, like Anomali ThreatStream, to provide processes for intelligence professionals to manage stakeholder requirements, automate intelligence collection, maximize data analysis, and operationalize the intelligence.
Some of the key benefits are operationalizing data gathering, processing data into intelligence, integrating information from various sources, streamlining the intelligence cycle, and better navigating the threat landscape.
I won’t go into details, but you can read our blog to learn more about making the case for a Threat Intelligence Platform.
Different Types of Cyber Threat Intelligence
There are generally three “levels” of cyber threat intelligence: strategic, operational, and tactical.
Utilizing each type of intelligence is important because each one serves a different function. Security analysts who leverage the sum knowledge of these different types of intelligence are better equipped to determine which security solutions to use when they should be used, and how to proactively and reactively respond.
Tactical threat intelligence is the most basic form of threat intelligence. These are your common indicators of compromise (IOCs). Tactical intelligence is often used for machine-to-machine detection of threats and for incident responders to search for specific artifacts in enterprise networks.
Operational threat intelligence provides insight into actor methodologies and exposes potential risks. It fuels more meaningful detection, incident response, and hunting programs. Where tactical threat intelligence gives analysts context on threats that are already known, operational intelligence brings investigations closer to uncovering completely new threats.
Strategic threat intelligence provides a big picture look at how threats and attacks are changing over time. Strategic threat intelligence may be able to identify historical trends, motivations, or attributions as to who is behind an attack. Knowing the who and why of your adversaries also provides clues to their future operations and tactics. This makes strategic intelligence a solid starting point for deciding which defensive measures will be most effective.
As threat intelligence continues to evolve, it must be considered a key security function. Organizations using cyber threat intelligence are able to reduce security risk and stay ahead of advanced persistent threats. They’re able to detect and respond quickly and effectively, preventing data breaches and protecting sensitive information.
Most importantly, they’ve learned how to transform data into relevant, actionable intelligence.
Join me next time as we take a look at number eight on our list.
In the meantime, download our Cybersecurity Insights 2022 report or check out the last blog to learn more.
Also, check out ThreatStream to learn more about how Implementing automation and threat intelligence management solutions like ThreatStream can help.