Five reasons threat intelligence fails today, and how to overcome them

Steps you can take now to break down silos and enable threat intelligence to flow throughout your organization


This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

As cyber security threats have become increasingly sophisticated and pervasive, it’s become impossible to identify and defend against every probable attack with traditional security budgets. That’s where threat intelligence comes in. Effective use of threat intelligence is a way for businesses to pool their resources and overcome internal technical or resource limitations. Theoretically, it allows companies to “crowd source” security and stay one step ahead of malicious entities.

But that only holds true if it can be consumed as actionable intelligence. Unfortunately for many organizations, disjointed security solutions and departmental silos have made threat intelligence hard to implement across the organization and consequently, ineffective. Without the means to make threat intelligence actionable, it’s just data. Data won’t save your company from a targeted attack when human analysts are unable to quickly make use of it throughout decision support tools across the organization.

The challenges are two-fold. Technical silos and a lack of cooperation “across the aisle” – driven by the fact that actionable intelligence can mean different things to different stakeholders. For instance, cyber analysts, operations managers, incident responders, lawyers, auditors and business risk managers all have slightly different contextual lenses. They don’t have a lingua franca for risk, nor do they measure risk in the same way. However, today it’s more important than ever that organizations find ways to work across silos, break down barriers to success and align stakeholders to better utilize threat intelligence.

There are five common reasons threat intelligence fails today:

  1. Stakeholders are often limited by a “need to know” approach to intelligence. This is reasonable in many cases, as companies need to keep sensitive information protected. But, the reality is this makes it hard to identify whether someone needs to know an important piece of intelligence until after the fact. At that point, the threat intelligence is often useless.
  2. There’s often no technical way to share intelligence across boundaries and stakeholder communities. It’s a major challenge within many organizations, and especially large organizations where internal silos are deeper and more prevalent. How can we expect to share and implement competitor threat intelligence when it quickly falls into a myriad of internal silos?
  3. Companies may not see the obvious compelling business case to share threat intelligence. Without an organizational champion, an external regulatory obligation or compelling business case, the status quo wins the day – which means the entire organization will be too slow to act.
  4. There’s still a lack of trust between stakeholders. Especially in the new world of globalization, cloud and “partnering.” Coupled with the pace of change and distributed teams, it is difficult to create the kind of working cultures that bridge boundaries.
  5. Finally, those problems are all stacked on top of the fact that cyber security technologies and techniques are still maturing – adding an additional layer of complexity to the cyber security dilemma.

While these are all very real challenges, there are some steps you can take right now to begin breaking down silos and enable threat intelligence to flow more freely throughout your organization:

* Identify Integration Opportunities: Depending on an organization’s maturity level and existing technology investment, the first step may be to identify opportunities for tighter technology integration and the automation of threat intelligence feeds. Automating information sharing across stakeholders ensures an organization’s governance rules are followed and removes delays introduced by human operators and processes.

* Find Your Stakeholders: Take an internal census and identify the stakeholders who might have knowledge, data and expertise to facilitate threat intelligence sharing. In addition, identify who might need to consume that information quickly in order to secure critical assets. Without a full accounting of your internal stakeholders, assets and capabilities, it will be hard to get an effective plan in place.

* Uncover Efficiencies: Often the internal census above will reveal duplicate needs for threat intelligence feeds across the organization, allowing for mutually beneficial opportunities for streamlining intelligence sharing. This can be the basis for a larger transformational business case, such as being able to reduce human resource requirements in multiple areas at once, which will be readily accepted regardless of the metrics used to measure success.

* Tap into All Domains: Depending on your organization’s industry, mission, structure and culture, you will need multiple domains/dimensions of threat intelligence to meet stakeholder needs. This means not only sharing actionable intelligence across domains, but also having multiple sources of threat intelligence, or a rating system to score various intelligence sources. Taking action based on bad intelligence could be worse than taking no action.

* Set the Right Governance Models: Relatedly, a prohibition on certain actions based on a sole source of intelligence is warranted. Having these policies in place prior to an incident will help guide operations when an organization is under stress. Not all feeds are created equal. Open-source feeds, consolidated feeds and premium feeds should be evaluated against your organization’s mission and scored based on reliability, asset value and overall cost of ownership (subscriptions, platforms, bandwidth, etc.).

In the end, threat intelligence sharing is one of the best ways to ensure your organization can react quicker and make better decisions faster, in response to today’s rapidly changing threat landscape. Don’t wait for a top-down mandate or compelling event to get started – break down the walls and create the internal efficiencies you need to get the most out of this valuable resource.

BT is one of the world’s leading providers of communications services and solutions, serving customers in more than 170 countries. BT Security is building on 70 years’ experience of helping organizations around the globe and across all sectors get ahead of the threat curve and reduce the uncertainty and complexity of security. It provides an end-to-end capability to help organizations enjoy higher levels of security at a time when security budgets are not keeping pace with the threat landscape.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.

IT Salary Survey: The results are in