Threat Intelligence is Evolving
June 09, 2014
People and organizations are beginning to understand that intelligence must be developed within an organization and that the solution is more than a check-the-box-threat or vulnerability feed. They understand that threat intelligence is the result of collection, analysis and production of a finished product to provide actionable, custom threat and vulnerability information that is applicable and able to be implemented in a timely fashion. So why is this evolution happening?
I have many thoughts on the matter, which I will lay out in this article. I would like to first state that the majority of these conclusions are my own opinion, from having been in the industry for some time now within both the government and now private sector. But hey, isn’t that the heart of intelligence analysis anyway - making judgment-based assessments on data collected or observed and reporting your findings?
An influx of professionally trained intelligence analysts hit the private market.
With the war in Iraq over and operations in Afghanistan winding down, many professionally trained intelligence analysts are looking for a new job. Many are transitioning from military service and are having a hard time finding comparable work in government service, either as a federal contractor, consultant or employee.
Additionally, with federal budget constraints, the pay of the last decade just is not there anymore. They already have a sound analytical background and great experience working in very intense, high-stress environments with a lot on the line. Their work has saved the lives of countless American and ally servicemen and women involved in combat. These analysts have realized they can still practice their trade, just on a different data set, and are beginning to leave their mark on our industry.
There are direct similarities between the Global War on Terror and cybersecurity.
Perpetrators in both worlds are built on anonymous, interconnected networks of individuals and groups. It takes strong analytical resources to identify, track and defend against them. They also use technology and internet-based communications to conduct their trades. Many analysts have been exposed to the forensic side of our business and find it intriguing. Additionally, the intelligence game these days relies a lot more on technology in terms of software and hardware use, and analysts of all experience levels undergo extensive training to master them.
Our industry as a whole is evolving and hiring practices show this.
The market research site Wanted Analytics conducted a recent analysis of the Cyber Security Candidate Pool. Their findings support the thought that the industry will only continue to grow and people will want in. Key findings from their analysis are:
- 9% year-over-year increase in advertised cybersecurity jobs in the U.S.
- 17,000 advertised job openings from January-April 2014 with an estimated workforce of 21,000 (My assumption is that number reflects those whose sole responsibility is information security and not just an added function to their standard IT job role. If that’s the case, that’s almost as many openings as there currently are professionals. Where are we going to find the new talent?)
I don’t want to beat the dead horse, but organizations are honestly looking at investing more in their respective information security programs in response to Target breach and others like it over the last year. Additionally, with the media attention the recent OpenSSL Heartbleed vulnerability garnered, there has been enough fuel added to the fire for additional spend on capabilities and other resources to continue combating the ever-evolving threats that emerge.
Since I made the transition from the military/ intelligence community into the information security industry four years ago, I have rarely met a security analyst or engineer that works less than 10-12 hour days. Senior leadership recognizes the complexity of being able to collect, analyze and implement changes based on threat and vulnerability data and the time necessary to effectively do it. They also see that their analysts and engineers do not have the time to perform this added work. Enter threat intelligence.
In the beginning, this was solely seen as an automated process of purchasing a feed that was easily implemented within existing security solutions such as firewalls, IDS/IPS, SIEMS, etc.… But these feeds are rarely as effective as advertised. Now the industry is starting to see the value in developing an in-house intelligence capability that concentrates on managing these feeds, as well as identifying and collecting disparate data elsewhere to make it customized to that particular organization.
This is the key that our industry is finally beginning to uncover. Intelligence must be developed for it to be customizable and applicable. Threats vary across industry, geographic location and even size of business, so it only makes sense to have the ability to really learn and analyze what the unique threat is that you face.
Just as our industry continues to evolve and grow, threat intelligence will move with it. Locate these analysts that are hungry for a new challenge after leaving service and invest in developing them - first into information security professionals and then into threat intelligence analysts who will enhance your organization’s security posture.