Shawn P. Murray knows firsthand the importance of putting threat intelligence to good use. Murray was advising a defense contractor for the US government when information from a threat intelligence report raised a red flag.
Based on the data, Murray ferreted out a problem in the company’s supply chain, identifying that a potential new vendor that purported to be Canadian was actually headquartered in Russia and linked to organized crime. The intel further indicated that any data shared with that vendor would ultimately end up in Russian servers.
“Through threat intel we were able to thwart a significant issue,” says Murray, now president and chief academic officer at Murray Security Services and president of the Information Systems Security Association’s international board of directors.
Although Murray’s experience may be unique, the value he puts on threat intel is not.
CISOs say they’re falling short in the use of threat intel
Many CISOs have been using threat intelligence — or more specifically cyber threat intel — for years, recognizing that the additional data about the threat landscape can help them better prepare for and defend against bad actors.
However, a significant percentage of CISOs say they’re falling short in their use of threat intelligence. A Searchlight Cyber March 2023 report found that 93% of CISOs polled are concerned about dark web threats, but 21% of CISOs have no threat intelligence capability at all.
And an Enterprise Strategy Group’s March 2023 report noted that 46% of CISOs do not consume cyber threat intelligence reports on a regular basis.
Those figures, security leaders say, only provide a glimpse at what’s going on. They say the real issue isn’t whether CISOs have access to or even receive intelligence, stressing that nearly all security teams have some threat intel built into the security tools and services that are now standard in all organizations.
Rather, the question is whether CISOs are effective in using the threat intel they do receive and to what degree they can operationalize the intelligence.
“That’s where we see issues — around the effectiveness of threat intelligence use,” says Kevin Urbanowicz, leader for the Cyber Detect & Respond advisory solution area in Deloitte’s Cyber & Strategic Risk practice.
“That operationalizing is an area where there is a gap in some organizations, and it’s an unfortunate missing piece of the puzzle as organizations seek to get to the next level [in their security program].”
Threat intel relies on ‘timely, accurate and relevant information’
CISOs, like all executives, take information from a multitude of sources to help them make decisions and formulate plans. Cyber threat intelligence (CTI) is simply one piece of that information stream, but it has some unique qualities and value, according to security leaders.
“Cyber threat intelligence is timely, accurate and relevant information on cyber threats that CISOs can use to evaluate their internal priorities and focus efforts around relevant risks,” says David Sandell, CEO of CI-ISAC Australia, an information sharing and analysis center serving the country’s critical infrastructure sector.
“There are a lot of misnomers around what is and isn’t threat intelligence,” Sandell adds, noting that “the majority of information sold or gathered as ‘intelligence’ is in fact data or information. To be classified as intelligence, the information needs to be augmented with context (the ‘so what?’) so that it can be effectively used to manage risk.”
As Sandell explains, not every threat is a risk. Thus, CISOs need situational awareness of the various threats so they can assess them in relation to their environment and their security controls. That then tells them what their residual risks or exposure are.
Context is key to threat intel
“This then informs how they prioritize response efforts,” Sandell says. “Threat intelligence enables teams to assess relevant threats to their organization and, to the points above, make informed decisions on what needs to be done. Context is key to usable threat intelligence — What’s the threat? How does it eventuate? How complex is it to enact? Who is responsible? Am I likely to be targeted? Am I vulnerable?”
Sandell says that without an understanding of threats, cyber teams rely on reactive, assurance-based security controls, “having access to quality threat intelligence allows them to proactively remediate any security control gaps — hopefully before the threats eventuate in their environment.”
CTI comes to CISOs from various channels; some intel is free, and much of it is fee-based. Although some CISOs have the resources to gather their own threat intel, most obtain it from government agencies, researchers, and ISACs. CISOs also buy threat intelligence from commercial cybersecurity companies; vendors provide that intel through feeds and reports and/or through automated updates to the technologies and services they sell to security teams.
Operationalizing threat intel is key to a defense strategy
Experienced CISOs, security researchers and other security leaders say the availability of and access to threat intel aren’t issues — nor are they the reasons behind the survey findings indicating no or limited threat intel within some organizations.
The real issue, experts say, lies in whether and how well security teams can operationalize threat intel. The use of threat intel happens in three ways, says Forrester principal analyst Brian Wrozek.
The first is tactical, a use that’s often automated. For example, security tools that block dangerous IP addresses are automatically updated as the tool makers get intel about new addresses deemed problematic.
The second is operational, a step up on the security maturity scale, where CISOs and their teams are using intel to inform their incident responses. For example, intel can inform a team about what next steps to expect if they see a certain type of threat within their environment.
The third is strategic, which is the most sophisticated use of threat intel. This is where CISOs integrate intel with the threat landscape, their IT environment, their organization and their industry to shape strategic decisions within the security function and for the organization overall.
Making intel a part of everyday security operations
It’s in those second two areas where many CISOs aren’t yet effectively using threat intel. “Threat intel is not part of the everyday operations of CISOs,” says Sergio Tenreiro de Magalhaes, chief learning officer at Champlain College Online and an associate professor of cybersecurity and digital forensics.
Yet it’s in these two areas that threat intel can deliver significant advantages, as threat intelligence enables organizations to more accurately prioritize their limited security resources, better prepare their defenses and make smarter decisions about where to go next.
Urbanowicz says such applications of threat intel are essential for creating a “threat-informed defense.”
“CISOs have to prioritize on what matters most to them, their sector and their industry, because there’s not a budget to do all things or cover all bases,” he says, explaining that threat intel gives CISOs the perspectives needed to do that. “We want to look at trends, which direction are threat actors moving in, what are those trends telling us about the future, and how all those things that a threat actor is doing informs us about what we need to be doing.”
Jason Rader, vice president and CISO of Insight and a former executive with RSA, the security division of EMC, says threat intel allowed his team to prevent any potential incidents following the disclosure of critical vulnerabilities within Apache Log4j.
He says having a team that has operationalized the use of threat intel “is almost the definition of going from reactive to proactive; it’s about preventing the fires, not just fighting them.”
Others agree with that assessment.
“While not using threat intelligence doesn’t guarantee a security incident, it can leave an organization less prepared and more vulnerable to cyber threats,” adds Bryon Hundley, vice president of intelligence operations with the Retail & Hospitality ISAC.
“The consequences of not using threat intelligence can include a lack of visibility into emerging threats, slower detection and response, ineffective incident response, compliance risk, and financial loss. Also, threat actors use their own form of threat intelligence so it’s in the best interest of organizations to do the same.”
Boosting threat intelligence capabilities
Like much in security, making effective use of threat intel at all three tiers — tactical, operational, and strategic — is easier said than done, with veteran security leaders saying CISOs typically face myriad challenges in their efforts on this front.
As is often the case in cybersecurity, challenges in getting the right talent for this task are a top barrier to success, Urbanowicz says. CISOs generally focus on hiring technically competent workers, and in most cases, that approach works. However optimizing the value of threat intel requires analytical skills and situational awareness — skills that enable security teams to turn data into actionable items.
“Threat intelligence is a little bit more of a qualitative state; it requires a more analytical mindset — and [workers with that mindset] are not the first ones to be hired,” Urbanowicz says.
That security talent also needs enough insights into the organization’s IT environment, business operations, strategy and sector, too. Those insights allow the intel analysts to, first, identify what threat intelligence feeds and reports matter most to the organization and, second, home in on the data within those intelligence reports that’s most meaningful for the organization and its unique security posture.
The security team then needs to know what to do with those nuggets of intelligence — whether that means fine-tuning a security event and information management (SEIM) system, investing in new tools that better target the identified threats or adjusting business strategy in response to a changing threat landscape.
Tenreiro de Magalhaes says CISOs often face an overarching barrier as they try to tackle these other challenges: that is, getting the funding required to purchase the intelligence reports and to pay for the staff required to make use of the intelligence.
“Cyber teams are generally flat out trying to keep an organization safe and respond to ongoing operational demands, [so] it’s very easy for a task like this to get deprioritized,” Sandell adds.
But that de-prioritization may not be an option much longer, says Wrozek, the Forrester analyst, explaining that the effective use of threat intel “is becoming more and more a requirement for your security program.”
CISOs seem to have gotten the message.
A majority of CISOs are boosting their threat intelligence capabilities this year, with Forrester Research reporting that nearly two-thirds of surveyed security decision-makers increased their spending on such technologies from 2022 to 2023.
Forrester also found in its 2022 Security Survey that 22% of security technology decision-makers identified improving threat intelligence capabilities as a top tactical IT security priority — making it No. 3 on the list of top IT security tactical priorities.
“There are so many threats out there. How do you make sense of it all? How do you prioritize?” Wrozek says. “You prioritize and you improve decision-making based on intel.”