An Intelligence-Driven Security Program | Optiv
January 23, 2015
Threat intelligence is a term that causes some people to roll their eyes – mainly because they’ve been relentlessly bombarded with the typical hype and hyperbole. The fact is, a modern enterprise security program that does not draw from an intelligence-driven approach lacks focus and is effectively missing something crucial.
The Case for Intelligence
If you have spent any meaningful span of time in enterprise security, odds are that every security program you have worked with has had all the same elements over the last decade or so – perimeter security (a firewall, IPS, etc.), endpoint protection (antivirus on the workstations, servers), and maybe a log analysis engine (SIEM). While I have no doubt there are many well-defended, and truly defense-in-depth networks out there, a staggering percentage are still stalled in the basics.
Modern adversaries are resourceful, adaptive, and dynamic – almost the opposite of the networks they attack and infiltrate. It is no surprise; therefore, that we can’t turn on the news without hearing about another massive data breach impacting millions. Credit card data, healthcare records, intellectual property – all pilfered. Costs and losses are piling up in the billions. Whether the attackers are advanced and persistent or not, they seem to have no difficulty busting through the same old defenses. The old way is simply not working, and I’m not convinced it ever really worked anyway.
Security intelligence is not a magic wand and does not provide a quick fix for decades-old security issues, but the case for threat intelligence as part of your overall enterprise security program is clear. Threat intelligence promises to focus security’s capabilities, identify weak points, and increase the efficacy of prevention, detection and response mechanisms. These are no small claims and should not be taken lightly.
More than once I have heard a CISO say, “If only we knew where and how the attackers were going to strike, we could have prevented the breach!” This is usually followed by a sarcastic smile or shoulder shrug as if to say there are no such crystal balls. In fact, there aren’t, but there is definitely something better than what many security programs are working with today – a hope and a prayer. The fact is there is enough quality intelligence being generated out there through open- and closed-source intelligence providers that knowing who, where and how is not entirely out of the question.
Demystifying the Hype
Threat intelligence has lost much of its momentum due to the market confusion and divergence often blamed on various vendors’ marketing pitches. While it may be convenient to blame vendors, the trouble is that even if you ask two subject-matter experts what threat intelligence is, you will likely get at least two different answers. Is threat intelligence a data feed? Yes. Is it a set of tools? Yes. Is it a capability to effectively triage and case manage? Yes. The fact is that threat intelligence means something vastly different in the intelligence community and among experts than it does in the enterprise when approached as a program component.
A threat intelligence program is an enterprise capability to leverage data, tools, and processes together with human assets to approach security in a smarter way. This means focusing on actual threats which comes from data analyses, human interaction and a well-grounded understanding of things like high-value assets and business processes. It is in the clarity of understanding of our own organizations that external threats become relevant. Context is king.
A threat intelligence program has the capability to feed our defensive tools to adjust to adversaries and their dynamic techniques. For example, a threat intelligence program alerts us to the fact that years of medical research and development at America’s biotech companies is being targeted by nation-state actors, trying to short-cut billions of dollars and time in a race to enrich profits (and lives) in another corner of the globe. More important than simply alerting security organizations of these facts, threat intelligence also provides collective know-how to defend more intelligently against these adversaries, leveraging potentially existing tools and processes – only smarter and more effectively.
A modern enterprise security program that does not leverage threat intelligence to aid decision-making and to drive focus is critically lacking the necessary tools to combat today’s dynamic adversaries. Simply put, security organizations still utilizing static defenses and best-guess security without having the insight into their enemies’ tactics stand virtually no chance. The importance of a meaningfully designed business-aligned and strategically implemented threat intelligence program as a part of the broader enterprise security strategy should not be understated.
For a deeper foundational understanding and background on threat intelligence, we encourage you to read our Threat Intelligence Solution Primer and look for additional material coming soon that will provide additional clarity on strategic, operational and maturity aspects of effective enterprise threat intelligence programs.