Go to any security conference nowadays, and you’ll find that everyone and their brother (from end users to service providers to vendors) has jumped on the threat intelligence bandwagon. While this is a useful trend, indicative of the fact that organizations are starting to realize that reliable information about threat actors can, when applied judiciously, help provide a security benefit. It’s also a true statement that many organizations struggle with making the threat information they obtain actionable as a practical matter.
There are a few reasons why this is the case. First, many organizations (particularly those of a certain size) may consume different sources of information for different purposes throughout the organization. For example, the security operations center (SOC) might obtain Indicator of Compromise (IOC) information from one source while the network operations team obtains a DNS blacklist from another. The risk management team might obtain by-country strategic-level information about threat actors while the security operations team obtains signature information to drop into SEIM or other detection tools. So while that information may provide additive value within the particular area or function currently employing it, the value may be less than would otherwise be the case if the information were employed in a more systematic way.
Secondly, security teams struggle with contextualizing security information. Meaning, the linkage between a particular development on the threat landscape and the impact that might have on the business is often poorly understood. It’s not “rocket science” as to why: contextualization presupposes a level of self-awareness (i.e., of an organization’s own business and operations) which requires a high level of maturity to get to. In other words, for the same reasons that organizations often struggle with systematic risk management, they likewise struggle with contextualizing threat intelligence. So to the extent that an organization obtains threat data without having the maturity to contextualize it, the value is likewise limited.
The point is, the degree to which threat information is actionable is the degree to which that threat information is useful—if you’re spending time or money to obtain threat intelligence (TI) and you lack the capability to use it productively, you’re wasting your resources. The onus, therefore, is on one thing alone for the savvy security organization: how to ensure that the intelligence they receive is actionable. While there is no “one size fits all” way to do this, one approach that can potentially help can be borrowed from the governance space to help an organization get there.
TI Lessons from Governance
Technology Governance (whether you call it “IT Governance,” GEIT, information governance, or something else) is a discipline that has been around for decades. Unlike threat intelligence, it’s probably not a very “sexy” topic, but it does provide a systematic way for organizations to ensure that investments are used optimally. When applied to threat intelligence, it provides a way for organizations to ensure that the value that they’re getting from their TI investment is used most optimally.
First, an understanding of the purpose is paramount. One of the core tenants of the IT Governance world is the ability to map technology decisions back to stakeholder goals. Meaning, the organization’s mission “cascades” to stakeholder goals, which ultimately are aligned to the specific goals supported by technology components. Therefore, for every technology employed, a robust technology governance implementation can describe the goals of the organization supported by a specific technology.
In the TI world, we often see organizations making purchases without a clear understanding of where or how the investment will provide value. For example, if your organization makes an investment in TI because your CISO heard at a trade show that “you need some of that,” the chances are unlikely that the investment will align with a concrete goal. If an organization has already done the work of going through a systematic analysis of IT goals and alignment of them with enterprise goals, extending that process into TI investments can be a relatively straightforward way to ensure TI is used most optimally. If an organization has not yet approached governance in a systematic way, it’s probably beyond the scope of what they need or want to do it just for TI. However, even just a quick documentation of the requirements: what you expect from the data you acquire, how you expect it to add value, what it is, etc. can be very helpful here.
Secondly, another core principle of technology governance is the ability to measure what you do to ensure continual improvement. Building a capability to evaluate and measure success means that you understand the value as described above, and you can measure the ability of a given feed/tool to provide that value. Applying a systematic method of analyzing and measuring your use of TI—and the value it provides—can lead to improvements. For example, you might realize that open sources of intelligence information provide a similar value as something you’re paying quite a bit for. You might find that you can gain additional value by extending the reach of a given feed or integrating disparate data sources.
Moreover, certain types of information are useful only for a defined period; today’s IOC can be near-useless tomorrow (for example, the IP being used for data exfiltration, or command and control today might be just another node on the Internet tomorrow). Being able to keep track of and evaluate your usage systematically can go a long way to ensuring that you’re employing time-based information quickly enough for it to be relevant. If you’re not, maybe adjustments are needed to workflow so you can employ it faster—or perhaps the investment should be reconsidered. Again, the purpose here isn’t that you get to a “perfect” comprehensive metrics program day one; instead, it’s about thinking about a threat in this way. Establishing an ability to measure your capability—the value it provides, your ability to use it, etc. —leads both to optimization and continuous improvement.
Lastly, technology governance emphasizes universal involvement in technology investment—from the board all the way on down throughout the organization—as well as “strategic alignment” in use of technology (as in, you have a plan and architecture for how technology investments tie together). Threat intelligence initiatives can be viewed along the same dimensions. First, evaluate how individual stakeholders are served by threat information and the role that they are expected to play in response. Is there information that can and should be shared with the board, executive teams, or other stakeholders outside of security? If so, how is that information being compiled, reported on, and shared? Is there an architecture that ties together how TI information is shared and consumed? Is there a plan for how it might be automated in the future to best effect? If the answer to these is no—or if you don’t know—there is potentially opportunity to improve.
Using TI Effectively
Now, it goes without saying that none of these things are “rocket science” exactly. In fact, they’re not even particularly new concepts. Nonetheless, they are areas where organizations struggle. While organizations making investments in threat intelligence can stand to gain quite a bit of value, they can potentially gain even more if they apply many of the lessons from the past and leverage the extensive collateral that already exists in the governance world to help them do so.