By: Stephen Gates, Chief Research Intelligence Analyst, NSFOCUS
Over the past year, the cyber security industry has changed significantly in the light of an innovative tool called “Threat Intelligence” (TI). Organizations of all sizes are beginning to gain understanding of the value of TI; however, there is some confusion concerning what organizations believe they are receiving for their money. Organizations are beginning to learn about the notions of strategic and tactical TI. One provides longer-term, pragmatic analysis, alerts, and reports; while the other provides short-term, more-actionable data and informational feeds. Both have tremendous value to organizations who want to gain more insight into the cyber-threat landscape they face daily. However, is TI more than just data?
When organizations decide to purchase commercial TI, what are they clearly buying? Most have yet to recognize the fact that they are essentially buying a “process”; which surpasses the undesirable perception of just more data. Organizations of any size have the option to hire researchers, analysts, and report writers; while at the same time deploying sensors, honeypots, and end-point visibility, that covers a part of the world they’re most interested in. The prospect of building and running a team of researchers, while at the same time deploying a data collection framework is a complete reality – albeit a rather expensive one.
Most organizations are not prepared to spend huge sums of money on this proposition. Instead, most organizations have decided to allow the experts to do what they do best, and purchase the commercial TI they’re looking for. In this case, organizations have decided to purchase a process, instead of trying to spin-up that process themselves. This allows organizations of all sizes to capitalize on TI. It also helps reduce costs for any single entity, by ideally spreading these costs across many buyers; keeping them as low as possible, while providing the highest quality and value. This decision makes the absolute best sense.
The process organizations are buying is called the “threat intelligence lifecycle”, and in most cases, it’s a well-defined process. It begins by collecting data from multiple sources. These sources include researchers (humans), in addition to sensors, honeypots, and endpoint visibility tools (technology). It next consumes the collected data and applies a process of translation, collation, evaluation, and finally curation of the data points. Next the data is deeply analyzed to determine its value and significance; while developing recommended actions and next-steps.
Then, the data in the form of strategic and tactical information is packaged and delivered via blogs, alerts, reports and data feeds. The final step involves a closed-loop feedback system to determine the success of the information, and then the process is adjusted as needed. The activity is continually repeated, and the constant flow of actionable threat intelligence is provided as part of the service.
As one can see, threat intelligence is more than just static or transitional data. It involves well-defined processes, with sets of deliverables. Therefore, organizations who take advantage of commercial TI are gaining the true value through a process the vendor delivers, and not only from the data itself. This is what organizations are “really” buying, when they purchase commercial TI.