The past six months has proven that the threat landscape has changed forever. Threat intelligence is one of those posture-forward initiatives. Our upcoming Year-End Report will shed light on the fact that it is a growing focus for the community. In concert with that growing focus, we asked a few of our close friends, what has changed and what should executives do now?
HOW HAS THREAT INTELLIGENCE CHANGED IN THE PAST SIX MONTHS?
Santosh Kamane, Vice President Information Security, DBS Bank
“Phishing, malware, ransomware attacks are on the rise because adversaries know that users are isolated from their workplaces. Organizations who worked in a security environment where they were not prepared to work remotely have had a particularly hard time. They did not have do's and don'ts on how to handle phishing emails, malware, and ransomware, what to click, what not to click, when to report incident, etc.- those base practices in place."
Santosh notes that security awareness was low on our way into the pandemic. That means that all of the security awareness focus for the past two years simply got the community to a less than optimal outcome. Security awareness campaigns continue- but it’s possible the strategy of communication needs to be examined.
What might be most interesting about Kamane’s response is that he’s not discussing feeds- he’s talking about basic human threat intelligence. What good do the best feeds do you if Dave from accounting just opened the wrong email?
Kayne McGladrey, Senior Member, IEEE
"We were in the hype cycle with threat intelligence, and as a direct consequence, organizations are evaluating their threat intelligence providers and asking, is this actionable? Is this relevant? You can have two separate threat intelligence feeds covering the exact same industry, and you're getting entirely different signaling information out of them. So I think that there's a hesitancy to invest more in threat intelligence rather than to pick the feeds and providers that are providing the most actionable information."
Kayne is talking about feeds. But all feeds are not created equal and a great way to know if your given feeds are of any value to you is if you’ve taken action on anything anytime recently. Another way to know if you’re feeds are of any value is to quantify.
"Have a KPI about value that came out of your threat intelligence feed. Did it actually cause you to do something differently? Were your analysts able to act on this, or was it just another thing that they had to go look at? Because when you think of time as being our chief enemy, if it's sucking time and not producing value, why do you keep it? It's a data feed, ultimately. At the end of the day, you have to contextualize it in terms of your organization. Threat actors tend to vary in terms of behavior in their TTPs. And consequently, you need to really tailor your threat intelligence. And if you're not getting that tailored information, drop it."
One might argue that tailored information for your organization is more valuable than general information. Kayne is arguing that general information is not valuable. But he stops short of offering that company-specific feeds are the only feeds that matter.
"Is there an ISAC, an information security association, that's sharing similar information that you could just get by being a member? That could also be a better public/private partnership to address these issues, in addition to a commercial entity that's allegedly providing intelligence, whereas, in fact, they're just providing data."
Make some friends. Share some information. Which brings us to our second question.
THREAT INTELLIGENCE: WHAT SHOULD CISOs DO NOW?
Kayne McGladrey, Senior Member, IEEE
"Definitely, make a contact with your local veterans employment representative, your LVER. You can find those through America's job network, and just find out. Like the other thing, ultimately, your HR departments will be pleased with because LVERs are not a paid service. You can basically hire people- with no hiring or headhunter fee or associated cost structure- who are going to be motivated and talented. They might need to learn your tool chain, but the actual intelligence skills to disambiguate and make sense of a threat intelligence feed or feeds, as well as what you're seeing off your SIEM telemetry- that's invaluable. You cannot put a price on that."
Many folks are talking about investing more into threat intelligence. And many of those folks are talking about investing in automated analysis of threat intelligence feeds. An alternative to automating your (potentially unproven) feeds is hiring a veteran who all-in will likely be cheaper while having intelligence chops that are proven.
Santosh Kamane, Vice President Information Security, DBS Bank
"The key is zero trust architecture. It talks about addressing your internal and external traits at the same time. We always considered our employees, as non-mobile, internal resources that would always be in-office, now everybody's on the move. That makes the threat level for external and internal players pretty much same. And in some cases with the internal employees it’s higher, because they hold so much knowledge, they already have keys to enter into your network."
Again Santosh discusses heading off threats at the pass. It seems he in fact is on the pulse of where the industry’s issues lie. How can we justify unproven investment on “detect” threat landscape initiatives if “protect” threat landscape initiatives are vulnerable?
"The focus would be on how you build, purely a good a zero trust architecture to gain better visibility into everything that goes into your network- a centralized view- to have centralized security administration. Everything that goes in and out of the network that needs to be built, scrutinized, everything needs to be logged. Everything needs to be assessed on why that particularly activity was allowed or denied."
As a coda to his contribution, Kamane urges folks to focus on the solution as opposed to the problem. So one might suggest that even if you’ve got the VPN in place because you just invested in that architecture. Rather than invest further in threat intelligence feeds or automation, use that money on a ZTNA (Zero Trust Network Architecture). Or, close the doors before you worry about the windows.
Jeff Campbell, CISO, Horizon Power
"Adopt that model of sharing. It's all about knowledge sharing. It doesn't really matter which threat Intel feed to which you subscribe. Don't be overwhelmed by the number of available services- choose a framework, choose a model that you feel comfortable with, or that is purpose fit for your organization- and then start to structure your intelligence feeds or threat Intel around what you're trying to achieve. If you're trying to mature your cybersecurity practice, then look at threat feeds that will actually give you practical ways of remediating."
Jeff makes like Steven Covey and suggests that you begin with the end in mind. What outcome are you trying to achieve? Answer that question. Then- just as Kayne suggested- customize your feeds as well as you can to your particular organization. And- just as Kayne suggested- ensure that you are getting information which is actionable.
Dennis Leber, CISO, University of Tennessee
"Review your program and look at how you're operationalizing that program. Look at what you're doing with the data. You know how to improve. Look for opportunities to improve on what you're doing already, and then share it, share your best practices with your peers and other companies."
No matter what you do- once you have your threat intelligence working for you. A great final point by Dennis- share with your peers. The cyber security community is stronger and safer when collaboration occurs.