The Starbucks Effect is Pervasive in the IT Industry and Threat Intelligence is Also Affected by That Movement
“I’d like a half caff, tall, soy, vanilla cappuccino, extra hot.” We’ve all heard orders like these at Starbucks. We may even be the person placing them! But the fact is, we’ve become accustomed to getting things our way and when it comes to coffee, the barista makes sure our expectations are met.
The world of technology is very similar. But instead of satisfying personal tastes with caramel or vanilla, we choose technologies and products by experiences, familiarity and personal preferences. In the business world customization is even more complicated by the fact we need to customize for brand preference; specific team experiences and expertise; operating environments; processes and workflows. And we also have existing corporate infrastructure that is unique and must be supported. I call this need for customization the “Starbucks Effect” and it ripples throughout the IT industry affecting hardware, software and services alike.
A great example is security which isn’t one-size-fits-all. You know that from the history of how your infrastructure and layers of defense developed. Over the years you selected from an ever-expanding range of point products to address the latest threat or business need. And since each organization’s needs are different, the resulting security infrastructure became different as well. When we look at threat intelligence, the same holds true. Not all threat data is created equal – something that is relevant to your organization may not be relevant to another. In addition, the way you utilize threat intelligence will vary based on your infrastructure and people. For example, larger organizations with more manpower have the resources to chase down threat data with two or even three degrees of separation (i.e., downstream IP addresses, domain registrants, etc). Whereas, organizations without those vast resources must be more selective, investigating only threat data that is active, targeting their industry or associated to known adversary sets.
To build a comprehensive threat intelligence program you typically start by choosing subscriptions to various threat data feeds – some from commercial sources, some open source, some industry and some from existing security vendors – and aggregating the data in a central repository. You then need the ability for each point product within your layers of defense and/or your SIEM to communicate with that repository so you can combine your global threat data with the massive amount of log and event data these solutions generate. Having all that data is great, but it also includes a lot of noise. Some threat data feed and security vendors try to help reduce the noise by publishing risk scores. However, those scores are universal. What you really need are scores that are based on relevance to your environment. Just like ordering coffee, who better to determine what you like and what you need than you? You need to be able to customize risk scores and prioritize threat intelligence using parameters you set around indicator source, type, attributes and context, as well as adversary attributes, so you can filter out what’s noise.
So now that you’ve customized the threat intelligence itself, you need the ability to customize how you utilize it. This requires that the solution allows for bi-directional communication, so you not only receive data from internal systems but can also send curated threat intelligence from the repository to all the tools necessary within your environment. For example, to your existing case management or SIEM solution to allow these technologies to perform more efficiently and effectively – delivering fewer false positives. You can also use that threat intelligence to be anticipatory and prevent attacks in the future – automatically sending intelligence to your layers of defense (firewalls, anti-virus, IPS/IDS, web and email security, endpoint detection and response, NetFlow, etc.) to generate and apply updated policies and rules to mitigate risk.
With a solution that allows for customization of the threat intelligence itself and how you integrate it into your environment, you’ve now got threat intelligence “to order.” However, not every organization is in a position to do this themselves. With the global shortage of skilled cybersecurity professionals, estimated to reach 2 million by 2019, what if you don’t have the security experts to develop and/or implement a threat intelligence program? This is where managed security services providers (MSSPs) can come in. MSSPs offer another way for you to get the services you need from a menu of options. They can use that solution to do the customization for you, turning data into actionable threat intelligence and integrating it into your infrastructure and operations. They can also use the threat intelligence that’s relevant to your organization to deliver additional, high value and customized services such as risk assessments, threat hunting and incident response to improve your overall security operations and directly target the threats that matter most to you.
The Starbucks Effect is pervasive in the IT industry and threat intelligence is affected by that movement. With the right technologies and/or services, every organization can get relevant, prioritized threat intelligence how, when and where they need it.