The Coming Reckoning: Showing ROI from Threat Intelligence

The Evolution of Threat Intelligence in the Corporate Landscape

For almost ten years, threat intelligence has been integrated into cybersecurity defenses within the private sector. Initially, many threat intelligence teams were formed by intelligence professionals with backgrounds in government, accustomed to collecting information to counter threats to national security.

As these teams expanded and adapted to safeguarding customer data and ensuring service availability, challenges inherent to a corporate setting were inevitable.

Shifting Expectations and Increased Investment

The landscape is now undergoing a transformation. Security operations are becoming more sophisticated, and the continuous evolution of threats has prompted substantial investments in security infrastructure by enterprises.

Executive leadership and boards of directors are becoming more engaged in security-related decisions, and data indicates a commitment to increased security spending, projected to reach $458.9 billion by 2025, a rise from $262.4 billion in 2021.

This increased investment naturally leads to greater oversight and intense competition for resources between IT and security departments.

The Need for a Paradigm Shift

Despite these changes, many threat intelligence teams continue to operate with a traditional government intelligence approach.

They often concentrate on delivering data to the Security Operations Center (SOC), lacking experience in broadening the application of threat intelligence throughout the organization.

This limits their ability to effectively communicate the resulting benefits and justify the necessary financial investment.

A Reckoning for Threat Intelligence

After a decade of threat intelligence adoption in the corporate world, a critical juncture has arrived.

It is essential for CISOs and threat intelligence teams to collaborate and demonstrate that threat intelligence is not merely an expense, but a driver of value across all security functions.

Recommendations for Maturing Threat Intelligence Teams

To facilitate this shift in perspective and showcase the comprehensive value of threat intelligence, consider these three recommendations as teams mature:

• Focus on proactive threat hunting and prevention.
• Expand the scope of intelligence sharing beyond the SOC.
• Develop clear metrics to demonstrate the return on investment.

The Threat Intelligence Team as a Product Provider

Security operations are comprised of diverse teams, each with unique requirements. The threat intelligence team’s primary function is to deliver intelligence tailored to the specific needs of all these stakeholders.

While the Security Operations Center (SOC) benefits from contextualized indicators of compromise, prioritized for relevance and impact to enhance watch list monitoring, other teams also require specialized intelligence.

Supporting Various Security Functions

Incident response teams, for instance, require comprehensive context regarding adversaries, their campaigns, and the infrastructure they utilize to expedite incident handling.

Threat hunters benefit from detailed information on ongoing campaigns, adversary motivations, and employed tactics, enabling proactive detection of activity that has evaded existing security measures.

Furthermore, patch management teams need to be informed about vulnerabilities currently exploited in real-world attacks, including exploit success rates and organizational relevance, to effectively prioritize patching efforts.

The Value of Contextualized Intelligence

Contextualized threat intelligence acts as a significant force multiplier. It ensures that all security teams concentrate on the most pertinent and critical issues.

This focused approach empowers teams to make informed decisions and implement appropriate responses, ultimately strengthening the organization’s overall security posture.

The Importance of Seamless Integration

For effective automation in the distribution of relevant threat intelligence, a flexible and open integration architecture is essential. This allows for the streamlined sharing of information between different teams and the security tools they utilize.

Bi-directional integration is key, granting threat intelligence teams access to a diverse array of both internal and external data sources. These sources provide crucial context, encompassing systems, security tools, known vulnerabilities, and user identities.

Facilitating Collaboration and Actionable Insights

After threat intelligence analysts have completed their analysis and prioritization of collected data, they can effectively disseminate this information to all relevant security teams.

This sharing fosters continuous collaboration, learning, and ongoing improvement within the security organization. Leveraging existing infrastructure through integration allows teams to continue utilizing familiar tools, leading to quicker and more precise responses.

Integration and Extended Detection & Response (XDR)

For organizations evaluating Extended Detection and Response (XDR) solutions, bi-directional integration is not merely beneficial, but fundamentally necessary.

Contextualized and prioritized threat intelligence must be capable of flowing seamlessly and dependably throughout all systems within the XDR framework.

Boosting Security Operations Efficiency

An open integration architecture, designed to facilitate the flow of data, demonstrably enhances both the effectiveness and efficiency of security operations teams and the tools they employ.

Enhancing Executive Reporting on Threat Intelligence

As threat intelligence groups collaborate increasingly with other security functions, they will be positioned to showcase enhanced value through improved operational performance. This closer alignment will enable Chief Information Security Officers (CISOs) to establish more structured reporting processes.

These reports can provide a comprehensive overview of the specific security hurdles the organization encountered, detailing how the threat intelligence team successfully addressed them.

Furthermore, reporting should articulate the value provided, key takeaways from incidents, and strategies for ongoing security operations enhancements.

Examples of Reportable Metrics

Concrete examples of information to include in these reports are:

• A detailed account of observed malicious activities, alongside the actions implemented to contain and resolve them.
• Justification for believing specific campaigns pose a threat to the organization, and the monitoring efforts underway.
• Explanations of proactive defense strengthening measures, such as prioritizing vulnerability patching based on exploitation by threat actors targeting similar industries.

A period of increased scrutiny is anticipated, making proactive preparation essential. Disseminating tailored threat intelligence to relevant teams, facilitated by two-way integration, will demonstrate the critical role of threat intelligence.

Threat intelligence is not merely an expense; it’s a valuable asset. It delivers benefits that extend throughout the organization, supporting numerous projects and applications, and ultimately enabling faster, more effective defense against evolving cyber threats.