As cybersecurity threats have become increasingly sophisticated, it’s become impossible to identify and defend against every probable attack with traditional security budgets. That’s where threat intelligence comes in. Effective use of threat intelligence is a way for businesses to pool their resources and overcome internal technical or resource limitations. Theoretically, it allows companies to “crowd source” security and stay one step ahead of malicious entities.
Unfortunately for many organisations, disjointed security solutions and departmental silos have made threat intelligence hard to implement across the organisation and consequently, ineffective. Without the means to make threat intelligence actionable, it’s just data.
The challenges are two-fold. Technical silos and a lack of cooperation “across the aisle” – driven by the fact that actionable intelligence can mean different things to different stakeholders. It’s more important than ever that organisations find ways to work across silos, break down barriers to success and align stakeholders to better utilise threat intelligence.
While these are all very real challenges, there are some steps you can take right now to begin breaking down silos and enable threat intelligence to flow more freely throughout your organisation:
- Identify Integration Opportunities: Depending on an organisation’s maturity level and existing technology investment, the first step may be to identify opportunities for tighter technology integration and the automation of threat intelligence feeds. Automating information sharing across stakeholders ensures an organisation’s governance rules are followed and removes delays introduced by human operators and processes.
- Find Your Stakeholders: Take an internal census and identify the stakeholders who might have knowledge, data and expertise to facilitate threat intelligence sharing. In addition, identify who might need to consume that information quickly in order to secure critical assets. Without a full accounting of your internal stakeholders, assets and capabilities, it will be hard to get an effective plan in place.
- Uncover Efficiencies: Often the internal census above will reveal duplicate needs for threat intelligence feeds across the organisation, allowing for mutually beneficial opportunities for streamlining intelligence sharing. This can be the basis for a larger transformational business case, such as being able to reduce human resource requirements in multiple areas at once, which will be readily accepted regardless of the metrics used to measure success.
- Tap into All Domains: Depending on your organisation’s industry, mission, structure and culture, you will need multiple domains/dimensions of threat intelligence to meet stakeholder needs. This means not only sharing actionable intelligence across domains, but also having multiple sources of threat intelligence, or a rating system to score various intelligence sources. Taking action based on bad intelligence could be worse than taking no action.
- Set the Right Governance Models: A prohibition on certain actions based on a sole source of intelligence is warranted. Having these policies in place prior to an incident will help guide operations when an organisation is under stress. Not all feeds are created equal. Open-source feeds, consolidated feeds and premium feeds should be evaluated against your organisation’s mission and scored based on reliability, asset value and overall cost of ownership (subscriptions, platforms, bandwidth, etc.).