news
November 16, 2023by Gabi Reish

Solving the CTI Paradox: Don’t let too much data paralyze your security team

Each day, cybersecurity teams face escalating threats and vulnerabilities. They valiantly try to fight back with cyber security detection and prevention tools in conjunction with insights provided by cyber threat intelligence tools. But many security leaders admit they’re not sure their actions are effective.

Consider these statistics: 79 percent of respondents in a survey said they make decisions without insights into their adversaries’ actions and intent¹. Of those respondents, 84 percent² are very concerned that they’re making uninformed decisions.

But why? What’s causing these teams to question their decision-making and actions? In what follows, we’ll take a closer look and propose some solutions.

If you’re among those feeling uncertain, this may help you and your team gain clarity and understand a path forward. Before doing so, let me acknowledge the usual suspect: a shortage of security personnel. This shortage has been ongoing and shows no signs of abating. According to a 2022 report³, some 3.4 million security jobs are going unfilled due to a lack of qualified applicants. But there’s far more to the story, as we’ll see.

The Cyber Threat Intelligence Paradox

These cybersecurity teams – uncertain that their actions are effective – face what I have termed The Cyber Threat Intelligence (CTI) Paradox: The more you have, the less you know. They’re flooded with information they can’t easily differentiate, process, or act upon because it has not been refined for their needs. And while they may have plenty of security tools at their disposal, they can’t use them effectively. 

To illustrate the point, Cybersixgill recently conducted a survey and found that almost half the respondents said that they are still challenged even with CTI tools at their disposal. Among the issues are the irrelevance of data, the difficulty of gaining access to useful sources, and the complexity of integrating intelligence from different solutions. Perhaps because of this sense of futility, 82 percent of security professionals view their CTI program as an academic exercise: They buy a product but have no strategy or plan for using it. 

If you’re among those feeling discouraged, here are some suggestions for getting out of the CTI Paradox and gaining confidence that your organization is operating effectively and efficiently.

The Four Pillars of Effective CTI 

A well-functioning security department essentially needs two things: Relevant insights about threats pertinent to their organization and the capacity for acting on those threats quickly. This starts with the organization having an overall strategy that reflects its unique security concerns, then arms itself defensively with CTI tools that fit its concerns and other facets of its operation. 

As I see it, resolving the CTI paradox means using tools that provide support through four pillars:

  • Data – information about cyberthreats that matter to the organization

  • Skill sets – tools that match the team’s level of expertise in responding to those threats

  • Use cases – tools that match the types of intelligence that the security team is interested in 

  • Compatibility – the fit between a CTI solution and the rest of the security stack 

Let’s look at the four pillars, where you may be experiencing problems, and how to solve them. 

Data

Problem: It’s one thing to collect massive amounts of data. It’s another thing to refine that data so that you know what is relevant and what is peripheral. As we’ve described, many security teams cannot make these discernments. While it is fine to be aware of security threats on a global level – both literally and figuratively – companies need to zero in on the information most relevant to their attack surface and prioritize accordingly. 

Solution: Focus on products that analyze and curate information rather than dumping everything on users and expecting them to filter out what is relevant and what’s noise. You don’t have the time or resources for such work. That’s the vendor’s job. 

Skill sets

Problem: Security teams sometimes find themselves working with tools that do not match their cybersecurity skill sets. For example, a tool that provides access to raw, highly detailed information may be too complex for a junior-level staff member. Similarly, tools may be too simplistic and fail to provide sufficient information for a security team operating at an advanced level for an organization likely to be attacked. 

Solution: Teams need to use CTI tools that match or complement their skill sets. You also want to select tools that match your organization's security maturity and appetite for data – neither too high nor too low for your needs. 

Use cases

Problem: Organizations may receive information irrelevant to their primary use cases. Vendors offer a dozen or more intelligence use cases addressing such needs as brand protection, third-party monitoring, phishing, geopolitical issues, etc. Getting intelligence on a use case irrelevant to an organization’s security concerns isn't helpful.  

Solution: Find a solution that matches your use-case needs and provides that information in a way that is clear, relevant, and specific to those needs. If you’re concerned about vulnerabilities, find one that offers vulnerability intelligence and the appropriate user experience for your security department.

Compatibility

Problem: To adequately handle cyber threat intelligence, your organization needs to be able to consume the incoming data, then communicate to other elements of your security stack and take action rapidly. Without this compatibility among tools, you can’t use CTI to act quickly enough on threats to protect yourself. Even when speed is not critical, porting the info from one area to another may be so aggravating that the tool becomes ignored. 

Solution: In this environment, you need to rely on automated responses to threats as much as feasibly possible, so make sure whatever CTI tool you acquire fits well into your security ecosystem. You’ll want a tool that has the APIs needed to share information readily with the rest of your security stack.

Cybersixgill and the CTI Paradox

Cybersixgill has been helping customers overcome the CTI paradox by providing tools that match all the requirements of the four pillars. 

  • Regarding data, we continuously collect and expose the earliest indications of risk posed by threat actors from millions of underground sources. Then, we process, correlate, and enrich them so they’re pertinent for each customer.

  • Regarding skill sets, our tools now include the generative AI-based Cybersixgill IQ, which makes it far easier for junior-level staff members to find the data they need and react appropriately. Similarly, we know that whatever tools our customers use must be appropriate for their maturity level as an organization.

  • Regarding use cases, we offer nearly a dozen variations so you can pick the use cases most in line with your requirements. We provide our customers – enterprises, global systems integrators, and managed security service providers -- CTI insights that fit their usage needs.

  • Finally, on the compatibility question, our tools have been designed to integrate with the entire security stacks of our customers. We’ve developed an extensive set of APIs expressly for the purpose of facilitating reliable interaction between our products and those our customers already have incorporated into their defense posture. 


[1] Mandiant, Global Perspectives on Threat Intelligence, 2023
[2] Mandiant, ibid
[3] (ISC)2, Cybersecurity Workforce Study, 2022
[4] ESG, Cyber-threat Intelligence Programs:Ubiquitous and Immature, Jon Oltsik, 2022

 

 

 

You may also like

View from the entrance of a tunnel with tracks extending towards a futuristic, dystopian cityscape.

April 19, 2024

Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware

Read more
SOTU-Ransomware blog thumbnail

April 17, 2024

State of the Underground 2024: Two ways to guard against the ongoing threat of ransomware

Read more
Access for Sale Blog-Thumbnail

April 16, 2024

Cybersixgill’s Access Currently for Sale - high-value intelligence just got even better

Read more