First, a definition, admittedly a technical one, of threat intelligence:
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.
Don’t let the definition scare you away. Threat intelligence simply is data you already have or can easily obtain. That, however, isn’t the compelling piece of the definition. It’s two words: “actionable advice.”
Threat intelligence only benefits security if its primary thrust is action. Without that aim, intelligence is merely information. It’s nice to have, but it doesn’t do anything. It just sits there, looking pretty.
When threat intelligence is active, it improves security and safety. Best-in-class enterprises know this; 65 percent of them use external threat intelligence to enhance security decision-making.
You can do the same thing in your environment, be it a commercial property or small business. When you do, security and other processes improve in at least four ways.
1. Threat intelligence prioritizes where to spend time and money.
How do you decide where to spend the IT and/or security budget? Data is the best way to accomplish the goal. It shows what’s working and what’s not.
Holes are items in need of addressing. It could be a cyber security hole, as in passwords or credentials. But it could just as easily be a physical security one. Maybe the real need is better lighting and additional cameras in the parking lots and at the rear exit.
Data—intelligent data—reveals both. Seek out the needed data. Mine it, compare it, and use it to deliver insights that impact time and money.
2. Threat intelligence reduces security incidents.
Reducing security incidents requires context. To experience this benefit, you’ll need more than the past month’s security data and video footage. You need historical and real-time data. The two working in concert reduce incidents over time.
By understanding context, you’re better able to respond with solutions specific to your needs. Security is not a case where a square peg can be crammed into a circular hole. The peg needs to fit the hole in order to be effective.
3. Threat intelligence increases response time.
One of the challenges historically found with threat intelligence has been the time needed to make information actionable. The time has decreased with advances in technology and tools, but more can and should be done.
Develop a response framework. Use historical data to determine processes and procedures. Identify who’s a first responder and build out a contact map from there. Decide who should be contacted if a situation escalates. Identify when and where systems, doors, and devices should be severed from critical systems or, in the worst-case scenario, shut down altogether.
4. Threat intelligence develops the larger picture of security events, attacks, and incidents.
Jim Brennan, IBM Director of Strategy and Development, says that the “bad actors” are collaborating. They always have been. They share data, tools, and expertise.
The “good actors”—you and us—need to mime the behavior. Only by sharing knowledge and working together can we beat back the rising tide of hacks, attacks, and breaches.
Brennan says to share everything from the most technical of information to the most anecdotal. Structured and unstructured data, joined together, produce “the Wikipedia for threat intelligence” and lead to an advantage over the adversary.
But remember—threat intelligence does nothing on its own. It’s what you do with it that makes all the difference. As Brennan says, “The real value of threat intelligence lies in its application to your business, turning insight into action.”
How are you using threat intelligence to improve security? Let us know here or on Twitter (@BrivoInc).