The coming reckoning: Showing ROI from threat intelligence

Threat intelligence has been a part of cyber defence processes in the private sector for nearly a decade now. Many threat intelligence teams were initially composed of classically trained intel operators from the public sector, where they focused on gathering data to thwart national security threats. And as these teams grew and adjusted to protecting against customer data breaches and disruptions to services, growing pains associated with working in a corporate environment were to be expected.

Expectations are changing, though. Security operations are maturing, and as threats have continued to evolve, enterprises have made significant investments in security infrastructure. C-suites and boards are increasingly involved in security decision-making, and studies show that they are doubling down on security investments, which are expected to rise to $458.9 billion in 2025 from $262.4 billion in 2021.

But with increased investment comes scrutiny and rigorous competition for dollars across IT and security teams. However, for threat intelligence teams, it appears old habits die hard. Many remain in the government intel mindset, focused on funneling data to the security operations centre (SOC) and have limited experience in extending threat intelligence to other parts of the business, communicating the resulting value and justifying the investment required.

After nearly a decade of threat intelligence going corporate, a reckoning is coming. It’s time for CISOs and threat intel teams to start working together and prove that threat intelligence is not a cost centre but drives value across all security operations.

As threat intel teams mature, here are three recommendations to help create a shift in mindset and demonstrate the full value it provides.

Think of the threat intel team as the providers of a product

Security organisations consist of many different teams. The threat intel team needs to support all these stakeholders with contextualised intelligence for their specific use cases. Yes, the SOC needs indicators of compromise that have been contextualised to show these are relevant and high priority so they can add these to the watch list for monitoring. However, other teams need intelligence curated for their purposes as well.

For example, incident response (IR) teams need context around adversaries, campaigns and the infrastructure used so they can accelerate responses. Threat hunters need details of the campaigns being run and the adversaries’ motivations and tactics so they can look for activity that has bypassed defences. Patch management teams need to know which vulnerabilities are actively being targeted in the wild, if exploits are successful and if the threat is relevant for the organisation so they can prioritise patching.

VIEW ALL

Contextualised threat intelligence is a force multiplier, ensuring all teams are focused on relevant, high-priority issues so they can make the best decisions and take the right actions.

Prioritise integration

An open integration architecture is critical for automating the dissemination of contextualised threat intelligence across teams and tools. Bi-directional integration enables the threat intel team to access data from a wide range of internal and external sources that provide context, including systems, tools, vulnerabilities, identities and more.

Once threat intel analysts have analysed and prioritised the data, they can share it with the teams that make up the security organisation and receive data for continuous collaboration, learning and improvement. Integration with existing infrastructure also enables teams to work with the tools they already have to drive faster, more accurate action. For enterprises looking at extended detection response (XDR) solutions, where contextualised and prioritised threat intelligence must flow through all systems easily and reliably, bi-directional integration is imperative.

An open integration architecture to support the flow of data increases the efficacy and efficiency of teams and tools across security operations.

Formalise executive reporting

As threat intel teams start working more closely with other security teams, they will be able to demonstrate additional value in terms of operational efficiencies. CISOs will be able to formalise reporting, explaining in greater detail the unique challenges the company faced, how the threat intel team overcame them, the value delivered, lessons learned and how to continue to improve security operations.

For example:

• How and what type of malicious activity was sighted, and the steps taken to contain and remediate it.
  Why you believe certain campaigns could be targeting the organisation and what you are monitoring for.
  How you’re proactively strengthening defences, such as prioritising patching of vulnerabilities being leveraged by threat actors that may start to target your industry.

A reckoning is coming, so start preparing now. Delivering curated threat intelligence to more teams that need it, enabled with bi-directional integration, will allow CISOs and their teams to prove threat intelligence is far from a cost centre. In fact, threat intelligence can deliver value that permeates the organisation across multiple initiatives and use cases, empowering teams to work faster and more thoroughly when defending against evolving attacks.

Chris Jacob is the global vice-president, threat intelligence engineers at ThreatQuotient.