Actionable threat intelligence — often repeated but rarely realized
It’s rare to hear discussions about “cyber threat intelligence” not accompanied by the words “actionable” or “proactive”. You will be hard pressed to find anyone who doesn’t think these are worthy objectives, and equally unlikely to find someone who says they are close to achieving them. The spate of ransomware attacks on healthcare providers in the first half of 2016 is a clear example of organizations not being able to take action based on the threat intelligence available.
And this is not for a lack of investment in cyber threat intelligence by enterprises. A Ponemon Institute research survey of security respondents found that 45% of respondents were increasing the amount of threat intelligence they are ingesting, but only 8% found it timely and only 11% found it actionable. Add to this recent findings from a recent SANS Threat Intelligence Survey where most consumers of cyber threat intelligence receive standalone, human readable reports of observed incidents instead of machine readable information that can be readily operationalized, we start understanding some of the symptoms for why it takes companies an average of 146 days to detect a breach. But the fundamental question still remains: despite increasing numbers of ISAOs and standardization efforts to improve security posture of organizations, why aren’t we making more progress?
At TruSTAR we like to think of intelligence data in terms of context relevance and temporal relevance, (see Figure 1).
If we are to look at the current state of intelligence exchange using this framework the large majority of threat data feeds, vendors and platforms cluster in the band that runs diagonally from the upper left to the lower right. Threat feeds and vendors that focus on speed of dissemination aren’t always able to provide the necessary context for it to be actionable and typically occupy the space in the bottom right. When enterprises do receive enough context to take action, it’s an advisory or after action report that is difficult to operationalize, or its too late to take proactive measures (top left).
When we talk to security analysts, most agree that some of the most useful data available today is around incidents that are active and being analyzed. We also know that security analysts are often ready to share, but they are hamstrung by corporate policies that do not let them for fear of reputation and market risks associated with disclosing a cyber incident. (For more on how Cybersecurity Act of 2015 addresses legal risks please see our e-book.) Until we address market and reputational risks, it is improbable that enterprises will start exchanging active intelligence at the speed at which attacks are spreading.
Until then enterprises will continue addressing cyber incidents in isolation, multiple companies will keep getting hit by attacks using the same infrastructure, and the RoI for recycled attacks will continue to increase.
ISACs, ISAOs and other information sharing groups are a critical organizational function and help drive us to a solution. These organizations drive best practices and means to address sector-specific challenges. However, we lack a discussion about the required technology that underpins secure exchange of incidents between parties, while managing risk and providing an immediate return. At TruSTAR we believe innovative uses of technology to redact, anonymize, and retain governance over incident reporting can give organizations the confidence to incorporate intelligence exchange into their incident response process.
We would love to hear your thoughts on this blog and how it fits into your overall view of today’s state of cybersecurity — please feel free to comment!
