Threat intelligence is a hot topic these days and was arguably one of the top themes of RSA Conference 2016. However, organizations need to realize that simply having more data about the latest threats, vulnerabilities, and exploits is not the answer to all their cybersecurity problems. On the contrary, threat intelligence is only helpful if it meets the four following criteria:
1. It Comes From a Qualified, Trusted, Third-Party Source
Most organizations don't have the resources to gather, vet, organize, and analyze threat information on their own. This makes these activities an especially valuable part of third-party offerings-provided the source is qualified and trusted.
2. It Provides Insight Into an Active Campaign
Most organizations already have an abundance of raw information about threats, vulnerabilities, and exploits. However, what they need is insight into active attack campaigns-information that includes the "who, what, where, when, and how" of the latest security threats. The most valuable insight into active campaigns is the information that is specifically relevant to the organization's environment and business context.
3. It Provides Relevant Insights Into Risk
Threat intelligence may provide insight into the likelihood of risk, the business impact of risk, or both. However, the insights are only relevant if they are framed for the specific context of the organization. For example, attack campaigns are not relevant to your organization if they're exploiting vulnerabilities in technologies you don't have in order to gain access to information you don't retain. This underscores the important point that threat intelligence needs to be linked with an accurate understanding of information assets.
4. It Includes Options for Action
Understanding risks is important, but ultimately, organizations must decide what to do about those risks. Should they accept them? Transfer them? Remediate them? Options for remediation may include changing existing controls and countermeasures, adding additional controls and countermeasures, or seeking third-party expertise and assistance.
How to Sort Through Threat Intelligence
With that said, it is important to understand the process through which you can distinguish whether threat intelligence is helpful or ultimately useless. In general terms, you should do the following:
- Focus on understanding the information assets of the organization, such as its information systems, data, and the countless business processes and revenue streams they support
- Give priority to the information assets with the greatest business impact
- From there, focus on the threats, vulnerabilities, exploits, and technologies that are truly relevant to these assets
Security professionals have a tendency to approach the problem in the opposite direction, first trying to make sense of the overwhelming volume of information about threats, vulnerabilities, and exploits. Only then do they connect that information to the business value in a way that decision-makers can understand. However, in reality, the problem is all about the assets. Organizations should start with what matters to simplify the challenge of processing threat information.
That doesn't mean the problem is easy, though. In truth, keeping track of the organization's information assets-along with policies, compliance requirements, business continuity requirements, and other aspects of enterprise governance, risk management, and compliance-can be just as complex as keeping track of the threats, vulnerabilities, and exploits that create the risk. The point is to put the priorities for addressing these challenges in the proper order.