Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Five Questions to Ask when Considering Cyber Threat Intelligence

Traditional defenses have proven insufficient in protecting organizations from adversaries who are increasingly exploiting the digital shadows of organizations to launch targeted attacks. Now, more than ever, organizations are seeking to understand which actors pose a viable threat to their assets and business operations. As a result, many are taking the next step in their journey to strengthen their defenses by turning to Cyber Threat Intelligence (CTI). But what exactly is CTI?

Traditional defenses have proven insufficient in protecting organizations from adversaries who are increasingly exploiting the digital shadows of organizations to launch targeted attacks. Now, more than ever, organizations are seeking to understand which actors pose a viable threat to their assets and business operations. As a result, many are taking the next step in their journey to strengthen their defenses by turning to Cyber Threat Intelligence (CTI). But what exactly is CTI?

There are many different definitions of CTI and, as a result, varying expectations of what CTI can do. One of the most straightforward definitions comes from the “CBEST Threat Intelligence Framework” paper that says, “Information about threats and threat actors that provide relevant and sufficient understanding for mitigating the impact of a […] harmful event.”

The number of definitions nearly exceeds the number of new information security firms offering CTI. In fact, a new report by Forrester Research, “Vendor Landscape: S&R Pros Turn to Cyberthreat Intelligence Providers for Help,” includes 20 CTI vendors. This underscores the rising prominence of CTI as a security tool, but also the potential for confusion when selecting a vendor.

As a security and risk professional, how do you navigate your way through these murky waters and choose a CTI solution that will best meet your needs? As with many areas in security, there is no ‘silver bullet’ for CTI. The following five questions can help you be judicious when assessing the market and your options.

1. How wide and varied are the sources that you cover? Volume and variety of sources are among the most important characteristics of a threat intelligence provider. A provider that covers many sources, millions rather than thousands of unique domains, will reduce the chance of threats going unnoticed. Multilingual support across Web and Internet services, public and private forums and a range of media types (such as IRC chats, email and video) is also important. To get the best coverage you may likely need to work with multiple providers.

2. Can you ensure my intelligence is free from false alarms? Broad coverage must be balanced against the accuracy of alerts. Look for a provider that uses a combination of high volume CTI and curated and tailored CTI to increase the accuracy of the intelligence.

3. How quickly can I receive an alert following an event and how far back does the context go? Accuracy is important, but if the information is received too late it may be irrelevant or not actionable. Look for vendors who can provide immediate alerts and can access data from previous years which can provide valuable clues and early insights into potential events.

4. Does the service integrate with my existing services? No matter how advanced an offering may be no single vendor can satisfy all your needs. Any provider must be able to demonstrate the ability to use APIs to integrate with other solutions and to wider sharing communities including FS ISAC and CISP. Support for standards such as OpenIOC and STIX is also important, as well as integration with threat intelligence platforms like ThreatConnect and ThreatQuotient.

Advertisement. Scroll to continue reading.

5. How tailored is the service to my organization and supply chain? The most valuable intelligence is that which is specific to your organization and assets, not simply to your geography and sector. So as not to be overwhelming, there should be a mechanism in place to prioritize alerts. A provider that also offers formal feedback processes can use that information to further tailor the service to your needs.

CTI is critical for organizations that want to gain a comprehensive, tailored and relevant view of the potential threats and types of attackers that could be targeting them. But attackers never rest and neither can organizations in their quest for better threat protection and risk mitigation. With CTI as a solid foundation to understand threats, you can continue to strengthen defenses with cyber situational awareness that, in the short-term, allows you to prevent and mitigate harmful events and, longer-term, allows you to prioritize threat protection investments and policies as threats continue to evolve.

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.