How does threat intelligence impact my security posture?

Keep your friends close, but your enemies closer. That’s good advice not just for palace intrigue, but for those in enterprise security as well.

In an era of changing and ever-present cyber attacks, every business should know where its risks lie. You need to understand your potential enemies so you can anticipate how and where they’ll attack, determine your likelihood of getting hacked, and prepare your response for when you inevitably become a target.

78%

Seventy-eight percent of security professionals believe threat intelligence is necessary.

Threat intelligence is necessary to develop a picture about attacks and attackers—before they threaten your business—so you can be prepared if and when they do attack. 78 percent of security professionals believe that threat intelligence is necessary to build a strong security posture, according to a survey conducted last year by the Ponemon Institute.

Yet, while many companies claim they offer threat intelligence, the data feeds that they provide can create more problems than they solve. 70 percent of security professionals found that too much data is created by threat intelligence feeds for them to be useful or actionable. Only a quarter of security professionals thought that they were using threat data to effectively combat attackers.

Companies need timely, pertinent threat information that is applicable to their businesses and the data they process. Here are some ways to get that:

1. Focus not on the global picture, but on specific effects

Threat intelligence should give a good overall picture of the attack trends that have the potential to affect your company. However, the information gleaned from threat data needs to be focused on the most significant risks to your particular business or organization.

Threat intelligence should be filtered through the lens of the actual technology in use at your company which means you should have a clear idea of what your organization relies on. A business that doesn’t rely on Oracle databases, for example, can safely ignore vulnerabilities affecting, and threats targeting, that product. In addition, security teams need to assess the providers of the technology in use at their company. If the vendors or developers of the technology do not pay attention to and remediate the threats targeting their software, then the business should put pressure on them to do so.

2. Learn from your competition

Attackers often focus on a specific industry. Finance, health care, and power companies, for example, have all been targeted by specific groups. For that reason, it pays to be mindful of threats to your specific industry.

Companies need timely, pertinent threat information that is applicable to their businesses and the data they process.

One possible way to develop such intelligence is to join an information sharing and analysis center (ISAC) or organization (ISAO). ISACs typically focus on critical-infrastructure groups—such as energy or finance—while ISAOs focus on specific sub-segments of the industry, such as credit card processors or hospitals.

Such groups, however, rely on you to provide data on the threats that are targeting your network. While many groups have members who are content to just gather information, the most robust groups are those where members also freely share information on the threats they are seeing. While such sharing can set off alarm bells of concern for business executives, security professionals can develop smaller, closer-knit networks within their own industry.

3. Lean on your security community

Perhaps the most useful way to consume threat intelligence is to derive insights from your peers—intelligence created by humans for humans. Comparing notes with your security peers helps you better interpret threat data and provides the context necessary to shape your security program design to address new threats.  

While many vendors turn to intelligence feeds coupled with features to analyze and react to machine-readable data, that data on its own can present an incomplete and fragmented picture unless you provide the context to make it actionable.