Posted August 6, 2015
Author: Eric Olson, VP of Product Strategy
In this four-part Executive Leadership series on making the business case for threat intelligence, we examine how you can justify incorporating threat intelligence in your company’s security operations, regardless of how small a team you have or how large your company is. In today’s post, we discuss why it’s important to first define what you need and why you need it.
Creating a security budget can be challenging for even experienced security professionals. In many cases, the practitioners who see the day-to-day value of threat intelligence – cyber threat analysts, security analysts, and others – are not the stakeholders who control the budget. In fact, a recent PricewaterhouseCoopers survey found that 49 percent of boards view cybersecurity as only an IT risk, and not an overall corporate risk.
Before building your business case, it is critical to define “threat intelligence” and determine if your organization needs it, and if so, how it will be used. Our view, which is shared by many security industry experts, is that there’s a big difference between “threat intelligence” and “data.” Our definition states that to turn data or information into threat intelligence, the final product must meet at least three criteria:
1. Relevance – The information must relate to, or at least potentially relate to, your enterprise, industry, networks, and/or objectives
2. Actionable – It must be specific enough to prompt some response, change, action or decision, or to dictate an explicit and informed decision not to act
3. Value – Even if relevant and actionable, if the data (and the action) does not contribute to any useful business outcome, there is no value
When threat activity, known actors, historical tactics, or attack information can be combined with vulnerabilities, activity data, or other particulars present in your network and environment, then the information becomes relevant, actionable intelligence.
The Need for Threat Intelligence
There are two key factors driving the need for, and value of, information from outside of the corporate network. They are based on the belief that actual intelligence (as defined above) is derived from correlating information from outside of the corporate perimeter or span of control with things from inside of the perimeter.
The first driver is the explosion of risk types in both complexity and number. Besides well-known risk types such as phishing, domain name spoofing, distributed denial of service (DDoS) attacks, and SQL injections, security teams must now combat cyber risks that touch on physical security, state and federal regulations, and both protection of, and compliance around, customer data. Understanding your exposure to these types of threats, whether and how often your company and industry are targeted, and the potential impact of those activities is key to determining whether you actually have a need for threat intelligence. If so, these factors will be key to making the business case and budget justification for a threat intelligence program.
The second driver is the expanded attack surface. Threat actors continue to use older channels, such as Internet Relay Chat (IRC) and Usenet, along with the web and other channels such as social media, to plan attacks, trade data, and organize resources. The number and type of sources continue to expand, and the volume of content being produced across those sources has increased literally by orders of magnitude.
Effectively monitoring across the web, social media, and underground channels, as well as staying abreast of current threat activity is a daunting task for any security team. The volumes of data, and the time required to sift through it all, becomes cost-prohibitive. The problem is even greater for organizations with a global presence, requiring both data collection and analysis in multiple languages.
Due to these factors, it is nearly impossible for many in-house security teams to effectively collect, sort through, and process information sourced outside the perimeter, making it a necessity to procure third-party services and tools to help keep the organization safe. Security experts will need to be able to translate the need for resources into management’s language, and explain the expected outcomes in terms of value to the business, in order to obtain the budget needed to equip the company network to mitigate threats.
Remember, data alone is not intelligence; threat intelligence can best be defined as information that is relevant to the organization, has business value, and it is actionable. As the threat landscape has expanded, more and more organizations have found the need for, and can benefit from, threat intelligence. Key drivers of this expanding need include the explosive growth in risk types and the volume of content and sources to be covered.
Next week we will look at how to match your business objectives with your security needs.