When it comes to strengthening your security operation, it can be difficult to plan without understanding the potential threats to your business. Fortunately, the Symantec Managed Adversary Threat Intelligence (MATI) team recently uncovered an uptick in cybercriminal activity in the Middle East and North Africa (MENA). Without this type of threat intelligence, companies contemplating an expansion into countries such as Turkey or Egypt might be surprised by an increase in threats in their environments.
With cybercriminal activity proliferating throughout the world, CISOs are increasingly interested in making threat intelligence an integral part of their security operations. But, the goal may be easier said than done. 72% of organizations planning to increase spending on threat intelligence in the next 12 to 18 months.[1] However, many of the security leaders we speak with have told us they struggle with differentiating between threat intelligence sources and determining those from which they can derive the most benefit.
How can you better understand threat intelligence? And more importantly, how should you use threat intelligence? The following 5 insights provide guidance to you on how to best integrate threat intelligence into your organization.
1.Threat intelligence is not just data. Cyber threat intelligence starts with solid data and information gathered from a broad spectrum of threat vectors across the world. It’s not just raw, unprocessed and unfiltered data. It should contain a full array of data – from vulnerabilities and spyware to malicious IP and domains – that are sourced from emails, web requests and commercial products that are monitoring the threat ecosystem 24 X 7 X 365. That information needs to be analyzed and filtered by robust big data analytics and machine learning techniques, identifying patterns and correlations between indicators and events. Even further, the data should be reviewed and further digested by trained analysts who can assure the output is be relevant to you and that it is delivered in a way you can use it.
2.Threat intelligence should be unique to you. The job of determining what threats are relevant to your organization is complicated by the sheer volume of incoming security data points. Each business environment spawns multiple events and alerts, and a security team could spend hours researching each signature and vulnerability to determine which actually applies to your environment. That is why your threat intelligence should be relevant to your industry and geography and must be useful to multiple teams, including representatives from your vulnerability management, threat management and security operations groups. You need to be able to segment it and ask questions to your analyst team specifically about how threats relate to your organization, so you can view, analyze and focus on the activity that poses a risk to your business and to your most critical assets.
3.Threat intelligence integrates with your current security strategy. Wherever your security operations fall on the maturity curve, it is likely you have made a few investments in a security infrastructure – whether it be a GRC system, a SIEM, threat intelligence, or an intelligence analyst or two. Leveraging these assets is going to be important to you, and you will want to integrate them into your business overall. That is why your threat intelligence should be available in different formats, including a well thought out user interface, data feeds, and APIs that provide the basic building blocks that enable developers to build threat intelligence into your existing security technology. With this integration, you are better able to align your budget to the most critical threats affecting your business and to deploy your people and technology to the areas that attackers are focusing on.
4.Threat intelligence needs a personal touch. As the volume and velocity of threats continue grow, pinpointing emerging threats in your industry and your company is likely only one of the many items on your agenda. Future planning for your security operation is most likely a big issue, too. To do it well, you need the rich contextual information that can come from human research and analysis. You need linkages between technical indicators, IP addresses and domains, as well as knowledge of adversaries, their motivations and their intents. This type of intelligence comes from analysts whose schooling goes beyond the traditional security certifications and extends to high level intelligence training on how to conduct human intelligence operations and how to find adversaries even when they go black – through the dark web or a VPN.
5.Threat intelligence has to be – intelligent. As a CISO, it also is likely that you view intelligence as much more than a defense against the adversary, but as an important link in the risk management chain. Your work with your executive team and the Board is most likely focused on both the quantitative and qualitative aspects of your security spend – both number and type of threats blocked and how they relate to the risks in your organization. Your threat intelligence should give you the narrative to articulate the ROI associated with your spend – whether it was a nation-state threat that you blocked or a reputation-damaging cybercrime that you avoided. Easily digestible reports and detailed answers to specific queries should be available whenever there is a need, specifically as your Board makes strategic decisions to acquire new companies, launch new products, or move into new geographies.
Looking for more insights?
- Five Threat Intelligence Traps to Avoid blog
- Symantec Uncovers New Details on Cybercriminals in the Middle East and North Africa, the MATI team’s research on the latest changes in global cybercriminal activity.
Learn more about Symantec’s DeepSight Intelligence
DeepSight Intelligence delivers a comprehensive and timely stream of threat intelligence via a customizable portal and web services for automated consumption, as well as data feeds and APIs that allow for full integration with an organization’s security infrastructure. DeepSight’s MATI team provides finished intelligence reports about adversaries’ tactics, techniques, and procedures. MATI reports, which provide additional context regarding indicator attribution and motivation behind cyberattacks, are produced by former intelligence officers from the CIA, US Department of Defense and the NSA, among many other global governmental entities. To speak with a product specialist about DeepSight Intelligence, call 866 422 5181.
[1] ESG Research Report, Threat Intelligence and its Role within Enterprise Cyber Security Practices, June 2015.