Actionable Threat Intelligence Enables a Proactive Approach to Cybersecurity, with Connectivity to the Entire Security Footprint
They say that finance is both art and science. Modern financial theories wouldn’t have been possible without science laying the groundwork for the statistical models and analysis. But human emotions and “gut” also play a huge role in financial decision making. Medicine is similar – while steeped in science, a physician’s intuition and judgement play heavily in personalized care. Cybersecurity is much the same.
As I discussed in my last article, there’s no lack of threat data that can be turned into threat intelligence by overlaying context and applying sophisticated analytics. But there’s also an ‘art’ to understanding what is meaningful to your organization and the best course of action to take. You have to consider the accuracy, relevance and timeliness of the intelligence.
Accuracy: Is the intelligence reliable and detailed?
Relevance: Does the intelligence apply to your business or industry?
Timeliness: Is the intelligence being received with enough time to do something?
These three attributes help define “actionable” intelligence. The catch is that you can really only have two of the three, so you need to determine what’s most important to your business. If you need intelligence as fast as possible to deploy out to your sensors, then accuracy may suffer and you might expect some false positives. If the intelligence is accurate and timely, then you may not have been able to conduct thorough analysis to determine if the intelligence is actually relevant to your industry or business. This could result in expending resources on something that doesn’t present a lot of risk. And creating comprehensive reports with extensive analysis to ensure reliability and relevance, could result in intelligence that’s received too late to be actionable, or may have become stale and no longer of value.
These tradeoffs and decisions are best made by humans working together. For example you may know you’re already protected against a certain type of malware, or that certain threats target systems you don’t have, or you may be willing to take your chances with a specific type of attack. Analysts’ judgement, intuition and institutional knowledge contribute to the art of making threat intelligence actionable.
Ultimately, “actionable” is defined by the user. The SOC typically looks for IP addresses, domain names, and other indicators of compromise – anything that will help to detect and contain a threat and prevent it in the future. For the network team it’s about hardening defenses with information on vulnerabilities, signatures and rules to update firewalls, and patch and vulnerability management systems. The Incident Response team needs intelligence about the adversary and the campaigns involved so they can investigate and remediate.
Risk Management needs to understand the impact on data and other digital assets to align threat with vulnerability and the effect on the business or organization. And the executive team and Board need intelligence about threats in business terms – the financial and operational impact – in order to increase revenue, and protect shareholder value and the company as a whole. Analysts must work together and across the organization to provide the right intelligence in the right format and with the right frequency so that it can be used by multiple teams.
Actionable threat intelligence allows organizations to take a proactive approach to cybersecurity, with connectivity to the entire security footprint – feeding information to the sensor grid, SIEM, logs, and ticketing systems to strengthen defenses; back to the data sources and database to manage the quality of the data; and out to the breadth of business users to communicate risk. But it can only be achieved when humans and technology collaborate to bring science and art together.