)
Each day, cybersecurity teams face escalating threats and vulnerabilities. They valiantly try to fight back with cyber security detection and prevention tools in conjunction with insights provided by cyber threat intelligence tools. But many security leaders admit they’re not sure their actions are effective.
Consider these statistics: 79 percent of respondents in a survey said they make decisions without insights into their adversaries’ actions and intent¹. Of those respondents, 84 percent² are very concerned that they’re making uninformed decisions.
But why? What’s causing these teams to question their decision-making and actions? In what follows, we’ll take a closer look and propose some solutions.
If you’re among those feeling uncertain, this may help you and your team gain clarity and understand a path forward. Before doing so, let me acknowledge the usual suspect: a shortage of security personnel. This shortage has been ongoing and shows no signs of abating. According to a 2022 report³, some 3.4 million security jobs are going unfilled due to a lack of qualified applicants. But there’s far more to the story, as we’ll see.
The Cyber Threat Intelligence Paradox
These cybersecurity teams – uncertain that their actions are effective – face what I have termed The Cyber Threat Intelligence (CTI) Paradox: The more you have, the less you know. They’re flooded with information they can’t easily differentiate, process, or act upon because it has not been refined for their needs. And while they may have plenty of security tools at their disposal, they can’t use them effectively.
To illustrate the point, Cybersixgill recently conducted a survey and found that almost half the respondents said that they are still challenged even with CTI tools at their disposal. Among the issues are the irrelevance of data, the difficulty of gaining access to useful sources, and the complexity of integrating intelligence from different solutions. Perhaps because of this sense of futility, 82 percent of security professionals⁴ view their CTI program as an academic exercise: They buy a product but have no strategy or plan for using it.
If you’re among those feeling discouraged, here are some suggestions for getting out of the CTI Paradox and gaining confidence that your organization is operating effectively and efficiently.
The Four Pillars of Effective CTI
A well-functioning security department essentially needs two things: Relevant insights about threats pertinent to their organization and the capacity for acting on those threats quickly. This starts with the organization having an overall strategy that reflects its unique security concerns, then arms itself defensively with CTI tools that fit its concerns and other facets of its operation.
As I see it, resolving the CTI paradox means using tools that provide support through four pillars:
Data – information about cyberthreats that matter to the organization
Skill sets – tools that match the team’s level of expertise in responding to those threats
Use cases – tools that match the types of intelligence that the security team is interested in
Compatibility – the fit between a CTI solution and the rest of the security stack
Let’s look at the four pillars, where you may be experiencing problems, and how to solve them.
Data
Problem: It’s one thing to collect massive amounts of data. It’s another thing to refine that data so that you know what is relevant and what is peripheral. As we’ve described, many security teams cannot make these discernments. While it is fine to be aware of security threats on a global level – both literally and figuratively – companies need to zero in on the information most relevant to their attack surface and prioritize accordingly.
Solution: Focus on products that analyze and curate information rather than dumping everything on users and expecting them to filter out what is relevant and what’s noise. You don’t have the time or resources for such work. That’s the vendor’s job.
Skill sets
Problem: Security teams sometimes find themselves working with tools that do not match their cybersecurity skill sets. For example, a tool that provides access to raw, highly detailed information may be too complex for a junior-level staff member. Similarly, tools may be too simplistic and fail to provide sufficient information for a security team operating at an advanced level for an organization likely to be attacked.
Solution: Teams need to use CTI tools that match or complement their skill sets. You also want to select tools that match your organization's security maturity and appetite for data – neither too high nor too low for your needs.
Use cases
Problem: Organizations may receive information irrelevant to their primary use cases. Vendors offer a dozen or more intelligence use cases addressing such needs as brand protection, third-party monitoring, phishing, geopolitical issues, etc. Getting intelligence on a use case irrelevant to an organization’s security concerns isn't helpful.
Solution: Find a solution that matches your use-case needs and provides that information in a way that is clear, relevant, and specific to those needs. If you’re concerned about vulnerabilities, find one that offers vulnerability intelligence and the appropriate user experience for your security department.
Compatibility
Problem: To adequately handle cyber threat intelligence, your organization needs to be able to consume the incoming data, then communicate to other elements of your security stack and take action rapidly. Without this compatibility among tools, you can’t use CTI to act quickly enough on threats to protect yourself. Even when speed is not critical, porting the info from one area to another may be so aggravating that the tool becomes ignored.
Solution: In this environment, you need to rely on automated responses to threats as much as feasibly possible, so make sure whatever CTI tool you acquire fits well into your security ecosystem. You’ll want a tool that has the APIs needed to share information readily with the rest of your security stack.
Cybersixgill and the CTI Paradox
Cybersixgill has been helping customers overcome the CTI paradox by providing tools that match all the requirements of the four pillars.
Regarding data, we continuously collect and expose the earliest indications of risk posed by threat actors from millions of underground sources. Then, we process, correlate, and enrich them so they’re pertinent for each customer.
Regarding skill sets, our tools now include the generative AI-based Cybersixgill IQ, which makes it far easier for junior-level staff members to find the data they need and react appropriately. Similarly, we know that whatever tools our customers use must be appropriate for their maturity level as an organization.
Regarding use cases, we offer nearly a dozen variations so you can pick the use cases most in line with your requirements. We provide our customers – enterprises, global systems integrators, and managed security service providers -- CTI insights that fit their usage needs.
Finally, on the compatibility question, our tools have been designed to integrate with the entire security stacks of our customers. We’ve developed an extensive set of APIs expressly for the purpose of facilitating reliable interaction between our products and those our customers already have incorporated into their defense posture.
[1] Mandiant, Global Perspectives on Threat Intelligence, 2023
[2] Mandiant, ibid
[3] (ISC)2, Cybersecurity Workforce Study, 2022
[4] ESG, Cyber-threat Intelligence Programs:Ubiquitous and Immature, Jon Oltsik, 2022
)
)
)
)