Threat intelligence programs need updating -- and CISOs know it
Most enterprise threat intelligence programs are in dire need of updating. Security executives need to formalize programs, automate processes and seek help from managed services.
CISOs are concerned about their organizations' threat intelligence programs and must address issues as soon as possible.
The evidence was clear in a 2023 research report published by TechTarget's Enterprise Strategy Group. In "Operationalizing Cyber-threat Intelligence," we asked 380 cybersecurity professionals about their organizations' cyberthreat intelligence programs. Of the total survey population, 106 respondents were CISOs who noted the following issues with their organizations' cyberthreat intelligence programs:
- Forty percent of CISOs strongly agreed it is hard to sort through threat intelligence noise to determine what's relevant to their organizations. This common problem often occurs when threat intelligence analysts aren't managed or guided appropriately. The result is producing academic reports with little application to cyberthreats to the organization.
- Twenty-two percent of CISOs strongly agreed it is difficult to gauge the quality of different threat intelligence feeds. Lacking adequate direction, threat analysts operate under a philosophy of "more is better" and saturate their organizations with threat intel data. Little wonder, then, why it's difficult to find the needles in the haystack.
- Forty-six percent of CISOs strongly agreed their cyberthreat intelligence programs are burdened by too many manual processes. In most cases, manual processes span the entire threat intelligence lifecycle, creating multiple bottlenecks.
- Twenty-two percent of CISOs strongly agreed it can be difficult to determine KPIs and success metrics for their threat intelligence programs -- in other words, how threat intelligence equates to real dollars. Businesspeople especially, but not limited to CFOs, are kind of keen on these types of metrics.
- Thirty-one percent of CISOs strongly agree their organizations don't have the staffing or skills to develop and manage a cyberthreat intelligence program that aligns with organizational needs. This is certainly at the heart of all these other issues.
Should fixing threat intelligence programs be a CISO priority? Yes. To quote Sun Tzu, "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."
In other words, knowing the tactics, techniques and procedures (TTPs) used by cyberadversaries in relation to your organization's assets and vulnerabilities is the key to effective cybersecurity defenses.
How to improve a threat intelligence program
According to the research, CISOs are on board. Two-thirds said they will increase their threat intelligence program budgets significantly over the next 12 to 18 months. Further, 97% said they use the Mitre ATT&CK framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
If your organization wants to operationalize Mitre ATT&CK and establish a Sun Tzu-like threat-informed defense, it must have a strong cyberthreat intelligence foundation.
CISOs tend to agree on the following three potential remedies:
- Formalize the threat intelligence program. Current programs are often based on tribal knowledge and haphazard methodologies that inevitably lead to inefficiencies. Recognizing this, CISOs want to reengineer the phases of the threat intelligence lifecycle: planning and direction, collection, analysis, production, dissemination and feedback. Based on my qualitative research, this means gathering the right input from technical and business constituents, rationalizing data sources, analyzing pertinent intelligence about known adversary groups targeting particular industries and regions, producing applicable reports and continuously enlisting feedback from all intelligence consumers.
- Automate manual processes. For effective threat intelligence, whatever can be automated should be automated. For example, automate and aggregate threat intelligence feeds, automate distribution of indicators of compromise for threat blocking, automate updated adversary TTPs to red teams and use generative AI to help produce timely threat reports. The goal is to make things easier for threat intelligence analysts by taking away as much grunt work as possible.
- Seek help from managed service providers. Few organizations have the threat intelligence chops of the National Security Agency, Goldman Sachs or Meta, and hiring experts isn't always a realistic option. In our research, 74% of CISOs said their organizations use managed services extensively to support their threat intelligence programs. Nearly one-quarter of CISOs said this is due to a lack of adequate in-house skills. Organizations should choose managed threat intelligence services based on their vertical industry expertise, customized reporting capabilities and integration into existing security and IT technologies and processes.
CISOs tend to change jobs every 24 to 36 months. When a new one is hired, they often reengineer or build a threat intelligence program that fits their management model. Given the research data, organizations must evaluate the effectiveness of their cyberthreat intelligence programs now, rather than wait for a new CISO to start this process over the next few years.
Jon Oltsik is a distinguished analyst, fellow and the founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.