Demand for threat intelligence services is anticipated to grow at a rate of 15.5%, says Gartner, and is defined by Forrester as a way of reducing ‘physical and cyber risks’ while supporting decision-making and existing security intelligence methodologies and systems. As a fledgling security strategy and methodology, threat intelligence is a relatively new arrival on the security landscape, but it is one that has the potential to offer immense value to an enterprise.
In a nutshell, threat intelligence is built on data. The National Institute of Standards and Technology defines it as information that has been ‘aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making processes.’
It is built on the data collected by organisations about the threat landscape, cyber-attack trends, evolving attack approaches, the types of attack and the ever-changing risks presented by these threats. The insights provided by this data allows for security teams to make informed decisions around their security while also giving them the edge when it comes to being more proactive in their security approaches and methodologies.
Leveraging organisation-specific data that provides context and detail around cyber-threats and risks, threat intelligence offers security actionable insights around potential vulnerabilities and the ability to rapidly detect and remediate threats.
Threat intelligence is only as valuable as the data used to inform it. This means that organisations need to have visibility and control over the data within their internal systems – assets, operations, processes, systems – and the ability to correlate this data with external information that allows for a holistic view of the threat landscape.
There are three types of threat intelligence. The most important is strategic threat intelligence that provides the C-Suite with the data it needs to make informed decisions around the types of risks their organisations are facing. It is an insights-rich advisory that informs security spend, risk assessments, and technology assets to ensure that risks are mitigated as effectively as possible. This level of threat intelligence is designed to provide decision-makers with the information they need to align security spend with security requirements.
The second form of threat intel is tactical threat intelligence. This is high-level security intelligence that makes sense to security leadership – the CISO, the information security manager, or the SOC manager. It advises on the tooling they have to employ within their SOC and offers them a measure of forecasting that can help them manage their security approaches more effectively. It answers questions like – is ransomware more prevalent or insider fraud? Is it email compromises? Where do we need to focus our budgets and SOC efforts?
The last form of threat intelligence is the operational threat intelligence, which is highly reactionary and used by security teams who handle the day-to-day operations. It is fed into security tools such as SIEM, SOAR, and firewalls. Security engineers, analysts, red teamers (offensive white hat attackers), and other on-the-ground security people who require immediate visibility into ongoing attacks and threats utilise this for effective setup of defences.
Threat intelligence helps refine security spend as it advises the business on what type of security it actually needs.
The value of threat intelligence lies in how it provides the business with an invaluable layer of insights that can be used to balance security protocols and approaches. Using this data, teams can create a better security balance throughout the organisation. Which of course asks – how should organisations approach the implementation and management of threat intelligence tools and services? Should they create their own or consume a commercial threat intelligence tool?
Every organisation has its own strategy, assets, and technology stack and each one is influenced by the industry in which it operates. Finance, for example, faces a very different threat landscape to retail. Insurance has a markedly different threat profile to agriculture. Yet each industry faces significant threats so by going through a process of self-discovery, organisations can establish their unique threat footprint, and this will inform which approaches are best suited to their needs.
Best practice suggests that the business undertake a risk assessment, examine the threat landscape from both an internal and external perspective, and then establish exactly what level of threat intelligence it needs to effectively minimise its threat profile.
In addition to providing the business with a high-level of visibility into threats that supports agile security and risk mitigation, it also helps cut costs. Every business has a limit in terms of how much it can spend on technology and must make the most out of its available resources. Threat intelligence helps refine security spend as it advises the business on what type of security it actually needs – is it a firewall? Endpoint Detection and Response? An antivirus solution?
The remarkable visibility provided by threat intelligence shines a spotlight on the gaps and the holes in an organisation’s security awareness, so it stops shooting in the dark. And that is an invaluable asset to any company as it faces the complexity of cybersecurity.
Robert Ngetich is the Team Lead, Threat Intelligence Centre, Dimension Data East, and West Africa.