Cyber threat intelligence (CTI) offers real value to security teams. I established that in my last article, Introduction to Cyber Threat Intelligence: What Can It Do For You? But I would be remiss if I didn’t highlight the challenges companies encounter as they attempt to tap that value. Far from being “plug-and-play,” leveraging CTI requires organizational maturity and investments that go beyond procuring a threat intelligence feed.
One of the issues organizations encounter is the siloed nature of the threat feeds themselves. “Threats are only a threat in the context of the risk to the business itself,” says Helen Patton, CISO of The Ohio State University. “Malware is contextual. Threat feed providers don’t know the business context. It’s up to the user to contextualize the threat feed for their environment; vendors aren’t helping users to do that. Large companies are good at that; mid-size companies aren’t able to do that because they don’t have the resources.”
Martin Fisher, manager of IT security at Northside Hospital, has evaluated several CTI vendors but, for a number of reasons, has “passed on each one.” One of those reasons is that “the solution required a level of IT maturity to use that my organization wasn’t at yet. That level varied from vendor-to-vendor, but only really mature organizations can do this effectively,” he says.
Target is one of those mature organizations—but that doesn’t negate the need for heavy investments. “Cyber threat intelligence (CTI) is a central part of our Information Security program at Target, in which we invest significantly in the tools, systems, team, training and partnerships that help keep our guests’ information secure. Target’s CTI team works tirelessly to build a holistic understanding of the threat landscape facing our organization, and the retail industry more broadly, using that information to keep our guest and team’s information secure,” says Jodie Kautt, VP Cyber Security, Target.
In a series of tweets on the role of CTI, Phil Venables, board director for Goldman Sachs Bank and senior advisor, espouses the virtues of CTI. But he acknowledges the reality for a lot of organizations: “Where threat intelligence gets maligned is, I think due to a lack of an organization’s capability to process it (perhaps fueled by over marketing of what it can do – by vendors or pundits). If you buy something or consume some capability you have to be equipped to use it.”
Many organizations simply don’t have the resources to build a CTI team and implement an organization-wide process for leveraging threat intelligence. This is a prime opportunity for the CTI vendors to bring a solution to market that helps close that gap, but for whatever reason, it’s simply not happening. The result is that the vendors look like they’re out of touch with the market’s needs.
“I think these vendors need to better understand the blue team world. My sense is they are a lot of data scientists, engineers, and developers, and have never worked on a blue team in their lives,” Fisher says.
Information Sharing and Analysis Centers (ISACs) offer some assistance, but again, they are best leveraged by organizations with mature CTI processes. “As members of the Retail Hospitality Information Sharing and Analysis Center (RH-ISAC), Financial Services Information Sharing and Analysis Center (FS-ISAC) and other trusted sharing communities, we think they are among the best sources of timely information. Multiple times per month, these communities provide unique and valuable information on threats and work to enhance and mature our cyber security capabilities,” Kautt says.
Fisher’s perspective differs: “H-ISAC is trying, but they aren’t there yet. FS-ISAC seems to have its act together,” he says.
Perhaps Venables puts it best: “Bottom line: threat intelligence is critical, but you have to use it well and that means having the organizational capability to do that. Grow capability (tooling and people) in balance with what you need to consume—think supply/demand.” CTI requires an internal organizational maturity to take advantage of the enhanced data, but the industry needs to push beyond static indicators. Instead of just identifying what was bad yesterday, we need to move to a predictive model of what will solve tomorrow’s threats and how an organization is prepared against them.