For nearly the last twenty years, enterprise security teams have been fighting threats to their business much like hapless teenagers fight demons in horror movies. Let me paint you a scene. Four people fleeing a horde of some type of evil take refuge in a run-down back woods cabin in the middle of nowhere.

For nearly the last twenty years, enterprise security teams have been fighting threats to their business much like hapless teenagers fight demons in horror movies. Let me paint you a scene. Four people fleeing a horde of some type of evil take refuge in a run-down back woods cabin in the middle of nowhere. It’s presumably the middle of the night and completely dark outside. They have only a few rounds in the shotgun they found in the basement. All four of the trapped have a different agenda, allegiances, and motives. The problem is they don’t really like each other all that much, but what they don’t know is it’s an all-or-nothing survival. All they have to do is make it ‘till morning.

If you’re saying to yourself, “how does this even remotely sound like what we do in security?” you’ve clearly not been paying enough attention.

Let’s make a few pretty clear comparisons between the hapless teenagers (“them”) and security:

  • They have absolutely no visibility outside the immediate perimeter. That perimeter is likely the walls of the house they’re huddled in. This should remind you of classic enterprise security—your visibility is limited to what crosses (or attempts to cross) your perimeter. If you’re not being attacked with some nasty piece of malware at this time, you probably won’t know about it. Whether this is a restriction on time, workload, or a myriad of other excuses, it’s fact.

  • Their perimeter is ill-adapted to their enemy. If you’re fleeing a pack of wild dogs and you take shelter in an abandoned cabin odds are you’re pretty safe. However, if you’re running from an onslaught of the undead and evil spirits, you’re about to have a bad night. Much like this example, your enterprise security perimeter is ill-adapted for the type of adversary you’re facing. Since most of us don’t really know what is of value in our organization we try and extend the perimeter to be “everything” that belongs to the company. While that’s commendable, it’s not the wisest approach. A series of concrete barricades will stop a semi-truck, but it will likely do nothing against armed humans storming the castle. My educated guess is that firewall and signature-based IPS is decent if your threats are mainly static malware from the early 2000’s and script kiddies. However, when it comes to real threats like saboteurs or nation-state sponsored bad guys, you’re in a heap of trouble.

  • They can’t tell the bad guys from themselves. Much like some of the B-rated horror flicks of my youth this group is being pursued by an amorphous evil. It can take the shape and form of any one of the four, and using trust inherent in human behavior, take over and sabotage the group. Insiders—willing or not—pose a challenge to you. Not being able to tell good guy from bad guy is a very real scenario. It’s amplified in the corporate IT space where seemingly everyone is slightly different and doing something just a bit too different to pattern.

  • They can’t easily identify a win scenario. Think about this for a second: How do these four go about “winning”? Making it through to morning without dying only ends the movie, but in real life they’ve got a big problem. Say you manage to blow a hole in one of the evil things since it possesses your best friend. Clearly your best friend is going to need some help and you have no idea if you’ve injured the bad things. Maybe, maybe not. The show “Supernatural” has taught me a lot about killing evil spirits, but I’m not entirely sure I want to try my hand—mainly because I don’t want to be shooting rock salt at an evil that requires some magical object to dispose of permanently. That’s just asking for a rough day.

  • They have competing interests. You’d think that in a scenario like the one I laid out, everyone would be getting in line, offering their support for each other, and just trying to survive. Sure, except that Mike hates everyone, Jim is just basically trying to get close to Susan, Susan is too busy only thinking of herself, Mary is secretly hoping Mike gets it first, and of course they all carry different belief systems. Some of your security team sees security as very black and white—where you need to turn up the security of a system at expense of usability or business processes. Others see it as a murky risk formula they’ve just developed. Others have “compliance brain” with that task as their one and only focus.

Rafal will be speaking on this topic at the 2016 Threat Intelligence Summit taking place in New Orleans from Dec. 6 to 8. Click here for more information or to register to attend.


What does this have to do with business value of cyber threat intelligence (CTI)? Everything.

  • Visibility – the kind of visibility you can get from externally sourced intelligence data can expose gaps you haven’t even thought about. That is to say, if you’re applying data models and workflows, that’s not a given. At least you should know your attacker’s motivations, tactics, techniques, and procedures.

  • Perimeter – While our perimeter isn’t going to go back to “simple,” your security team should at least be spouting hard data when it comes to helping build more interesting defenses. If you have your external access buttoned down, except for your test web gateways, then you know you really have nothing buttoned down. This will likely take a revolutionary effort to change in the enterprise.

  • Bad Guy Identity – At one point in time, being able to tell bad people from good ones only took a few clicks of the mouse. That’s obviously changed. But being able to “see” into people’s behavioral patterns to distinguish between baseline and outliers is critically important.

  • Finding a Win – If you’ve been breached and you identify the attackers, then what? Do you know how to completely remove all of their entry points, patch the vulnerabilities they exploited, and get training out to your users just in time to keep the rest of them safe? If you don’t then you likely only removed one or few of their commandeered hosts. The attacker will regroup and hit you once you think you’re safe again. Unless, that is, you’ve completed your siege!

  • Competing Interests – While some of your organization is going for check-the-box compliance, others are trying to be hardcore secure and yet others are just out for themselves or their department. Meanwhile, you get to play referee.

It’s important for you to incorporate cyber threat intelligence information (not raw data) into your analyses and strategies, at the very least. You should leverage that content to overcome all these shortcomings the people in the cabin will never see coming. The problem is many of us can’t figure out how to turn what is easily lost as a buzzword (like “CTI”) into business value. The real value comes from operationalizing the CTI team, and collecting and analyzing the right types of data to answer the key questions your stakeholders have. Period.

If your CTI team isn’t doing this, you’re doing it wrong.

Take a hard look at your company’s desire to institute a CTI team. Do your executive sponsors want shiny reports quarterly, real-time analytics from threat data to stop network-borne malware, or something else? How do you turn that cool term “cyber threat intelligence” into business value? Simple! You take that programmatic approach and start with stakeholders and requirements, then model what you have in terms of available resources, and then execute to plan.

Good luck! May you have enough advanced warning, data, and raw intelligence, combined with the desire to perform security in a more effective manner, to turn a buzzword into something every company should be doing at some level. The programmatic approach is the only viable strategy. But if you’re not taking that approach, find a different cabin in which to hide. This one ends badly for the people inside.

 



Rafal Los brings a blend of pragmatism and thought leadership in his approach to enterprise information security. As managing director, solutions research and development at Optiv, Los helps organizations build mature, defensible and operationally efficient security programs. Leveraging over 15 years of technical, consulting and management skills his team researches, develops and delivers program strategy frameworks, maturity models, and provides operational guidance from across industry verticals and varying maturity levels.