Page 24 - EngineerIt March 2021
P. 24

CYBER SECURITY


        Three critical steps to turn your threat




        intelligence into actionable insight





        By Kevin Brown, Managing Director, BT Security






                hen I ask customers what aspects of cyber security are frustrating them right
                now, the topic of threat intelligence comes up a lot. In many ways, this isn’t
        Wsurprising. I think ‘threat intelligence’ is possibly the most overused and empty
        term to have emerged in cyber security in the past five years. It’s become something
        organisations ‘must’ have, without a widespread understanding within the business of
        what it is or how it is supporting security.
           In many cases, what a business is calling ‘threat intelligence’ is simply a plethora
        of feeds that increases the data available to them, but doesn’t add to the intelligence at
        their disposal. Pressure on scarce specialists increases as the volume of data grows,
        and frustration builds as the ‘threat intelligence’ doesn’t deliver actionable information.
        What’s missing is the context around this stream of data and an understanding of what
        sits beneath it.
        Turning automation into a threat intelligence strength
        Automation is vital in making the move from commodity to focused and actionable
        intelligence. By automating the repetitive processes, you’re immediately reducing the
        pressure on your experts and using your scarce expert skills in the right place. With
        automation taking care of the volume, characterisation and implementation of high-
        fidelity intelligence from third parties, your team will then be working on the higher end   Kevin Brown
        of threat development, supporting informed decision making and strategic investment in
        security controls.
           One note of caution when setting up automation: make sure it covers your security   #2 Have honest C-suite conversations
        estate and controls end-to-end. Some businesses rely too heavily on the automated   about your cyber security maturity
        consolidation of feeds that have little relevance to their estate or their business. Well-  There’s no point in having vast volumes
        designed automation of threat intelligence must improve focus and relevance and not   of threat intelligence data if you
        introduce uncertainty to your security operations.                        don’t have the skills or experience to
                                                                                  interpret this correctly. Decide whether
        Applying a sector-specific filter                                         you should go down the route of
        It’s also essential to look at your threat intelligence through the lens of your   assessing automated feeds in-house,
        organisation’s position. When it comes to threat intelligence inputs, not all data is equal.   or whether you’d be better protected if
        What has hyper relevance to one sector will have little importance to another. Cyber   a managed services provider did the
        threats targeted around stealing intellectual property mean far more to manufacturers,   interpretation on your behalf.
        for example, than they mean to financial institutions. Highly generic threat intelligence
        simply adds to the volume of data you must wade through to get to anything meaningful.   #3 Work out actionable next steps
        Wherever possible, seek out data that’s contextualised for your industry.  Plan for what you’re going to do with
                                                                                  your targeted threat intelligence, so
        How to establish threat intelligence that’s worth the investment          it doesn’t just become a box you’ve
        Turning threat intelligence into actionable information starts with an honest assessment   ticked. Formulate clear playbooks that
        that I break down into three critical steps:                              define the actions you’ll take in the
                                                                                  light of the threat intelligence to protect
        #1 Determine your intelligence goals and risk appetite                    your business.
        Before you begin to look for threat intelligence sources or providers or establish the
        remits of your analysts, work out what you’re seeking to protect and what your appetite   Follow these steps to turn your
        for risk is. Carry out a fresh assessment of the information you already have within your   streams of threat intelligence data into
        organisation: are you leveraging it? What gaps do you have that you need to fill? Your   meaningful, actionable insights that
        aim is to define a set of goals against which you can then match services.  provide robust cyber defences.   n



                                                   EngineerIT | March 2021 | 22
   19   20   21   22   23   24   25   26   27   28   29