It wouldn't be a stretch to call 2015 the year of threat intelligence. In February, President Obama signed an executive order at a cybersecurity event held at Stanford University that encourages and promotes threat intelligence sharing between the private sector and federal government. Meanwhile, the U.S. Congress has introduced several threat sharing bills of their own. And at the annual RSA Security Conference in April, threat intelligence was clearly one of the primary topics of discussion among cybersecurity professionals, technology vendors, and government representatives.
Yup, there's a lot of jawboning going on about threat intelligence, but it's not just idle industry chatter – large organizations are actively adopting formal threat intelligence programs and consuming threat intelligence feeds. According to a recent ESG research report, 41% of enterprise organizations (i.e. more than 1,000 employees) use 6 to 10 different threat intelligence sources as part of their threat intelligence program, 21% of enterprise organizations) use 11 to 20 different threat intelligence sources as part of their threat intelligence program, and 7% of enterprise organizations use more than 20 different threat intelligence sources as part of their threat intelligence program (note: I am an ESG employee).
So enterprises have threat intelligence programs in place, but what do organizations really want to accomplish with these threat intelligence programs? ESG asked 304 enterprise cybersecurity professionals this very question. The research reveals that:
- 38% of organizations want to use threat intelligence programs to improve automated incident prevention. In other words, they want to consume and analyze external threat intelligence and then modify internal security controls to counteract new types of threats. I've seen this type of threat prevention activity between integrated cybersecurity orchestration platforms (ICOPs) like Resilient Systems and endpoint security software from vendors like Bit9.
- 33% of organizations want to use threat intelligence programs to automate security operations and remediation activities. This is aligned with automated remediation but more focused on the people and process aspects. So think of some type of automated handoff from the security analyst team to IT operations or from threat management integration platforms to trouble ticketing systems from ServiceNow or Remedy.
- 28% of organizations want to use threat intelligence programs to establish a central threat intelligence service to guide cybersecurity activities of smaller units within the organization. This is a security analogue to historical initiatives like data center consolidation. In many organizations, threat intelligence is purchased and consumed by a wide variety of individuals and groups. To gain economies of scale and establish threat intelligence centers of excellence, CISOs want to centralize threat intelligence programs, standardize processes, and concentrate their investments in people, training, and technology. Threat intelligence program consolidation represents a great opportunity for vendors like BrightPoint or the Threat* gang (i.e. ThreatConnect, ThreatQuotient, ThreatStream, etc.). Do-it-yourselfers may also want to look at MITRE's Collective Research into Threats (CRITS) open source.
- 26% of organizations want to use threat intelligence programs to improve risk management efficiency and effectiveness. So CISOs want to use threat intelligence to improve risk management metrics and mitigation actions. BitSight and Risk I/O align closely with this aim. Infosec pros may also want to pay attention to developments with the NIST cybersecurity framework with regard to threat intelligence and risk management.
- 25% of organizations want to use threat intelligence programs to improve incident detection. When FireEye, Palo Alto Networks, Symantec, or Trend Micro malware detection systems detect a malicious file, SOC personnel want to use threat intelligence to compare internal threat telemetry to “in-the-wild” information about IoCs, TTPs, cyber-attacks, and threat actors.
These threat intelligence program goals demonstrate that many organizations are on the right track, but as I indicated in my last blog, the majority of enterprise threat intelligence programs today are a work-in-progress. Over the next few years, CISOs will have to figure out how to achieve these objectives, operationalize their threat intelligence programs, and move from threat intelligence consumption to threat intelligence sharing.