The Expert View: Proactive Threat Intelligence

“The last 12 months have been the most stressful and fraught time in my career,” Raj Samani, Senior Vice President, and Chief Scientist at Rapid7, said at a TEISS breakfast briefing at the Goring Hotel in London. He told delegates, all senior cyber security experts from a range of sectors, that many threat groups have drastically expanded their capabilities in the last eight months, posing a challenge for threat intelligence.

He added that simply accumulating intelligence is not enough because that creates too much noise and distraction for businesses to be able to identify meaningful insights. What is needed is actionable intelligence.

Identifying new threats

One attendee said that intelligence comes in two general types. There is intelligence on previously known threats, and intelligence on new and emerging threats. He said systems that are good at one tend to be weak at the other. For example, a system that monitors ongoing threats might dismiss something new precisely because it hasn’t been seen before.

He gave the example of a castle that is under constant attack from arrows. This isn’t a problem because those attacks are easily withstood. However, if the enemy develops a cannon, then you need to know immediately because your castle walls may no longer be sufficient to keep you safe.

Military analogies were common - unsurprisingly, given the topic - with another participant noting that intelligence is often valuable when it tells you where the enemy is putting their forces. Then you can plan appropriately for where your defences should go.

Breaking the attack chain

However, those at the briefing agreed with Mr Samani that actionable intelligence is vital. It’s not about ‘speeds and feeds’, as one delegate put it, but about putting context and understanding around the information so you have some guidance for what to do. For example, a new vulnerability might be a serious threat for one organisation but a low priority for another, based on how their systems are designed.

What defenders are really looking for is just one point where they can break the attack chain. That’s all they need to neutralise a threat, so intelligence that can identify those points is enormously useful.

Businesses may have the tools to do this already. An attendee pointed out that many companies adopt tools to handle one task, or a handful of tasks, and don’t use them to their full capabilities. Getting the maximum out of their tools could be one way for companies to improve their proactive threat intelligence.

Regulatory concerns

Two themes dominated the thoughts of delegates, however: the impact of regulation, and communication with the board. Throughout the briefing, discussion continually returned to these topics, indicating just how significant they are.

Regulation is seen as both a benefit and a hindrance. For example, attendees like the fact that regulations provide some clarity in handling risk. And there was broad agreement that companies in regulated industries, such as financial services, gain some benefits from having no choice about certain processes and controls.

That said, there are perceived downsides to regulation too. One participant expressed frustration that some cyber security regulations require companies to report their vulnerabilities, which are precisely the things that they are hoping to hide!

Communicating with the board

On the subject of communicating with the board, there was almost unanimous frustration. Although more boards are adding members with an understanding of cyber security, most of those at the briefing said there was still a widespread lack of knowledge. Board members still want to know why cyber risk is high when they are spending so much on cyber security, and they tend to focus on the issues they do understand and ignore those that don’t.

Some attendees argued that expecting the board to change is a waste of energy. Instead, security experts should adapt. As one participant put it: “Do we need the board to speak tech or do we need to speak business.” He proposed simple adjustments such as referring to ‘service risk’ instead of ‘cyber risk’.

Ultimately most boards just want to be sure that they have adequate controls in place, said Corey Thomas, Chairman and CEO of Rapid7. He said the challenge is that it is hard to explain what is adequate, but security specialists can begin by talking about the threshold for negligence and build from there. No board wants to be considered negligent.

Summing-up, Mr Thomas said that he detected a positive trend in the conversation. A few years ago, he said, the discussion would have been far more tactical. Now, the focus is strategic. Even though there is work to be done, the conversation is clearly maturing and acquiring more structure. Proactive threat intelligence plays a clear role in this structure.

To find out more, please visit: www.rapid7.com