Sandell says that without an understanding of threats, cyber teams rely on reactive, assurance-based security controls, “having access to quality threat intelligence allows them to proactively remediate any security control gaps — hopefully before the threats eventuate in their environment.”
CTI comes to CISOs from various channels; some intel is free, and much of it is fee-based. Although some CISOs have the resources to gather their own threat intel, most obtain it from government agencies, researchers, and ISACs. CISOs also buy threat intelligence from commercial cybersecurity companies; vendors provide that intel through feeds and reports and/or through automated updates to the technologies and services they sell to security teams.
Operationalizing threat intel is key to a defense strategy
Experienced CISOs, security researchers and other security leaders say the availability of and access to threat intel aren’t issues — nor are they the reasons behind the survey findings indicating no or limited threat intel within some organizations.
The real issue, experts say, lies in whether and how well security teams can operationalize threat intel. The use of threat intel happens in three ways, says Forrester principal analyst Brian Wrozek.
The first is tactical, a use that’s often automated. For example, security tools that block dangerous IP addresses are automatically updated as the tool makers get intel about new addresses deemed problematic.
The second is operational, a step up on the security maturity scale, where CISOs and their teams are using intel to inform their incident responses. For example, intel can inform a team about what next steps to expect if they see a certain type of threat within their environment.
The third is strategic, which is the most sophisticated use of threat intel. This is where CISOs integrate intel with the threat landscape, their IT environment, their organization and their industry to shape strategic decisions within the security function and for the organization overall.
Making intel a part of everyday security operations
It’s in those second two areas where many CISOs aren’t yet effectively using threat intel. “Threat intel is not part of the everyday operations of CISOs,” says Sergio Tenreiro de Magalhaes, chief learning officer at Champlain College Online and an associate professor of cybersecurity and digital forensics.
Yet it’s in these two areas that threat intel can deliver significant advantages, as threat intelligence enables organizations to more accurately prioritize their limited security resources, better prepare their defenses and make smarter decisions about where to go next.
Urbanowicz says such applications of threat intel are essential for creating a “threat-informed defense.”
“CISOs have to prioritize on what matters most to them, their sector and their industry, because there’s not a budget to do all things or cover all bases,” he says, explaining that threat intel gives CISOs the perspectives needed to do that. “We want to look at trends, which direction are threat actors moving in, what are those trends telling us about the future, and how all those things that a threat actor is doing informs us about what we need to be doing.”
Jason Rader, vice president and CISO of Insight and a former executive with RSA, the security division of EMC, says threat intel allowed his team to prevent any potential incidents following the disclosure of critical vulnerabilities within Apache Log4j.
He says having a team that has operationalized the use of threat intel “is almost the definition of going from reactive to proactive; it’s about preventing the fires, not just fighting them.”
Others agree with that assessment.
“While not using threat intelligence doesn’t guarantee a security incident, it can leave an organization less prepared and more vulnerable to cyber threats,” adds Bryon Hundley, vice president of intelligence operations with the Retail & Hospitality ISAC.
“The consequences of not using threat intelligence can include a lack of visibility into emerging threats, slower detection and response, ineffective incident response, compliance risk, and financial loss. Also, threat actors use their own form of threat intelligence so it’s in the best interest of organizations to do the same.”
Boosting threat intelligence capabilities
Like much in security, making effective use of threat intel at all three tiers — tactical, operational, and strategic — is easier said than done, with veteran security leaders saying CISOs typically face myriad challenges in their efforts on this front.
As is often the case in cybersecurity, challenges in getting the right talent for this task are a top barrier to success, Urbanowicz says. CISOs generally focus on hiring technically competent workers, and in most cases, that approach works. However optimizing the value of threat intel requires analytical skills and situational awareness — skills that enable security teams to turn data into actionable items.
“Threat intelligence is a little bit more of a qualitative state; it requires a more analytical mindset — and [workers with that mindset] are not the first ones to be hired,” Urbanowicz says.
That security talent also needs enough insights into the organization’s IT environment, business operations, strategy and sector, too. Those insights allow the intel analysts to, first, identify what threat intelligence feeds and reports matter most to the organization and, second, home in on the data within those intelligence reports that’s most meaningful for the organization and its unique security posture.
The security team then needs to know what to do with those nuggets of intelligence — whether that means fine-tuning a security event and information management (SEIM) system, investing in new tools that better target the identified threats or adjusting business strategy in response to a changing threat landscape.
Tenreiro de Magalhaes says CISOs often face an overarching barrier as they try to tackle these other challenges: that is, getting the funding required to purchase the intelligence reports and to pay for the staff required to make use of the intelligence.
“Cyber teams are generally flat out trying to keep an organization safe and respond to ongoing operational demands, [so] it’s very easy for a task like this to get deprioritized,” Sandell adds.
But that de-prioritization may not be an option much longer, says Wrozek, the Forrester analyst, explaining that the effective use of threat intel “is becoming more and more a requirement for your security program.”
CISOs seem to have gotten the message.
A majority of CISOs are boosting their threat intelligence capabilities this year, with Forrester Research reporting that nearly two-thirds of surveyed security decision-makers increased their spending on such technologies from 2022 to 2023.
Forrester also found in its 2022 Security Survey that 22% of security technology decision-makers identified improving threat intelligence capabilities as a top tactical IT security priority — making it No. 3 on the list of top IT security tactical priorities.
“There are so many threats out there. How do you make sense of it all? How do you prioritize?” Wrozek says. “You prioritize and you improve decision-making based on intel.”