11 keys to maximizing value from cyber threat intelligence

  • November 10 2016, 4:00am EST

Taking advantage of intelligence on cyber challenges

Nothing haunts CIOs, information security officers, and data professionals more than the fear of a data breach. Technology tools and data practices aren’t enough to truly prevent hacking, but the following steps will help health IT executives mitigate the risk.

What is cyber threat intelligence?

“Cyber Threat Intelligence (CTI) is timely, accurate and actionable threat, vulnerability and incident information that highlight indicators of compromise,” says Omo Osagiede, director and independent security consultant with Borderless-I Consulting, and a member of ISACA. “The object of a CTI strategy should be to improve your overall cyber security posture through situational awareness of, and targeted response to, security threats including malware, insider threat, espionage, hacktivism, cybercrime and other emerging threats.” Chief information security officers should be answering the following questions to best guard against cyber threats, Osagiede says.

Content Continues Below

How do I select the best threat intelligence vendors for my organization?

“The answer depends on your organization’s threat landscape,” Osagiede explains. “Working out your key threat actors (e.g., internal threats vs. nation-states) and threat vectors beforehand will point you towards the type of CTI feeds you need. Before purchasing, challenge vendors on the breadth, depth and industry relevance of their intelligence feeds.”

How do I make sense of CTI without drowning in a sea of data?

“With the volume of information available from threat intelligence sources, including open source intelligence (OSINT), vendors, and public and private sharing platforms, employing the use of big data analytics and visualization techniques is expedient,” Osagiede says.

Do we have the right skills in-house to analyze all this data?

“Organizations often make the mistake of thinking that CTI is only needed at the technical level,” Osagiede stresses. “In reality, the right mix of CTI skills should include both technical (such as SOC analysts responsible for tactical security incident response) and nontechnical skills (for example, analysts who understand business priorities and are able to use CTI for strategic risk management).” He offers the following suggestions as best practices around cyber threat intelligence.

Content Continues Below

Have a documented risk-based CTI strategy

“Understand your cyber threat landscape and determine what CTI feeds you need on that basis,” Osagiede says. “Additionally, document how CTI will be obtained, how frequently it will be collected, who will consume it and what they are expected to do with it.”

Establish communication channels between CTI and business intelligence functions

“Do not lose sight of the operating environment when collecting and analyzing threat intelligence,” Osagiede says. “External business factors could provide additional insight into cyber threats and could help shape your CTI strategy.”

Expect to pay for good threat intelligence

Paraphrasing the words of Sun Tzu, when winning matters to you, “do not begrudge the outlay of a hundred ounces of silver for foreknowledge about your enemy,” Osagiede advises.

Content Continues Below

Have a management-approved process for sharing intelligence

“When it comes to CTI, the growing refrain is ‘one for all and all for one.’ No one is an island these days,” Osagiede notes.

Understand that you can’t buy institutional knowledge

“The best CTI resources are often those who already understand how your business works and who can bring that knowledge to bear on the analysis of CTI. Consider up-skilling internal resources before hiring externally,” Osagiede stresses.

Plan to act upon threat intelligence; don’t just collect it

“To get the best answers from CTI, we must first ask the right questions of the data,” Osagiede says. “Establishing CTI requirements upfront and anticipating changes to those requirements are important aspects of any strategy.”

Content Continues Below

Realize CTI may not make sense immediately

“Achieving the right balance between collection, analysis and delivery of actionable intelligence will take time,” Osagiede cautions.

Plan so that third-party IT suppliers complement your CTI strategy

“Every technology provider you use is part of your CTI strategy,” Osagiede says.

Reap the benefits of a clear cyber threat intelligence strategy

“In a recent global survey of security executives, 36 percent of respondents stated that they did not have a threat intelligence program, with a further 30 percent only having an informal approach, while only 5 percent said that their organization had achieved an advanced threat intelligence function,” Osagiede concludes. “Having a clear CTI strategy could improve these stats and help organizations improve their anticipation and response to threats.”