In today’s world of escalating threats, criminals are always figuring out new ways to attack the enterprise and critical infrastructure. With two billion data records compromised in 2017, and more than 4.5 billion records breached in the first half of 2018 alone, businesses understand the absolute need to learn and think from the criminal’s perspective. And in response, many, if not most, are turning to threat intelligence.
A key challenge businesses are facing in this area, however, is the fact that the threat intelligence market has become oversaturated and full of snake oil. With more offerings to choose from than ever before—many of which are marketed in misleading ways—it can be exceedingly difficult for decision-makers to cut through the noise and determine what’s truly going to make a difference for them versus what’s just hype or a passing fad.
So how, exactly, are decision-makers supposed to determine this? There is no easy or definitive answer here, but what often helps is to consider what the most effective intelligence programmes have in common and then seek out vendor offerings that reflect those characteristics. And increasingly, what these programmes have in common is a multi-pronged approach that combines human expertise with the right technology and focuses not only on combating individual cyber-threats, but also on mitigating the risks posed by all types of threats—cyber, fraud, physical, insider, and others—across the business.
This type of approach requires business risk intelligence (BRI), which many consider to be the more strategic, holistic counterpart to traditional threat intelligence. Having worked in this industry for many years, I thought I would share some of the most helpful pieces of advice I’ve received from (and given to) decision-makers seeking to develop—and identify the right vendor offerings to support—an effective BRI programme:
Define your needs and objectives before seeking out vendors
To combat threats, it is necessary to really understand them. This means you need to be able to track adversaries across multiple types of unique and often hard-to-reach online communities, from elite forums and illicit marketplaces to chat services platforms and paste sites. Visibility into these types of sources will provide a unique understanding of what is out there and what you will be facing. But there are so many sources of threat and risk to a business, it is important to clearly define your needs and objectives before seeking out vendors to help satisfy them. Get as granular as possible. If, for example, you’re in the market for a vendor that offers threat activity or online community coverage, don’t assume every vendor marketed as such will provide the depth and breadth of coverage you need. Only after you’ve determined your intelligence requirements and the depth of sources needed to fulfil those requirements should you even think about evaluating vendors.
Community is key
Regardless of whether you’re new to threat intelligence or BRI, or if you already have a highly sophisticated programme in place, collaborating with your counterparts at peer organisations and other trusted experts can be highly beneficial. No intelligence programme is perfect, much less without challenges, and it’s important to remember that most of us in this industry are facing or have faced many of the same issues. By sharing what you’re dealing with—whether that might be difficulties establishing your intelligence requirements, getting the support you need from the C-suite, or choosing the right vendor, to name a few—you’re likely to encounter others who’ve been where you are and might even have insight into what you can do to end up where you want to be. A good place to start is with the ISACs; join whichever ISAC aligns best with your industry. There are many other information-sharing groups to consider as well, including ones that are industry-agnostic.
Don’t overlook the importance of the human touch
One of the biggest reasons why the threat intelligence market has grown so rapidly in recent years is that it’s become increasingly clear that many of the more traditional cybersecurity services businesses have long relied on to secure the perimeter, won’t be able to outpace criminals forever. Criminals are always advancing their skills, evolving their tactics, and demonstrating their ability to evade detection and bypass the latest defences we implement to stymie them. Getting ahead of their antics requires more than just a firewall, intrusion detection system, or indicator of compromise (IoC) feed, among others. It necessitates a mix of human analysts and automated tools, whereby the analysts know what data to collect to gain insight into criminals’ agendas, can move collections capabilities to go where criminals go, and can rapidly analyse, reﬁne, and contextualise that data to produce meaningful intelligence that enables decision-makers to understand these criminals, assess the risks they pose to the business, and make informed decisions based on what they’ve done in the past, what they’re doing now, and what they’re planning to do in the future.
Delivering meaningful intelligence, or BRI, like this is at the heart of what we do here at Flashpoint. But while our approach has always been fuelled by our human analysts and proprietary technology, it’s been resonating increasingly well with the market over the last few years as more businesses recognise that securing their assets and mitigating risk requires insight into how, why, and where criminals operate. As a result, I’m confident that in the short-term, we’ll see an even greater appreciation of BRI and its methodology. The market right now is still very focused on educating buyers, many (if not most) of whom are relatively new to BRI, how it compares to traditional threat intelligence, and what it can enable them to achieve. But over the next year or so, we’ll continue to see these educational efforts give rise to more discerning buyers and a more mature understanding of where BRI fits within a broader security and strategy and how it can deliver value across the enterprise. In the longer term, I sincerely believe—and hope—that nearly every organisation will have this type of intelligence function in their armoury.
Ian Schenkel, Vice President EMEA, Flashpoint