Embed Size (px)
Citation preview
October 2019 Derek E. Brink, CISSP Vice President and Research Fellow, Information Security and IT GRC
RR
THREAT INTELLIGENCE STRATEGY MAP: FROM TECHNICAL ACTIVITIES TO BUSINESS VALUE
2
2
Enterprise use of Threat Intelligence data in cyber security has matured far beyond amassing a sea of raw data about threats, vulnerabilities, and indicators of compromise. In this report, Aberdeen helps you make the connection between technical activities and the ultimate business value of your organization’s Threat Intelligence initiatives.
Threat Intelligence is More Than Just Data — It’s a Process
Data provides the essential foundation for your organization’s Threat Intelligence initiative, but it’s only the beginning of a higher-level value chain (see Figure 1).
Figure 1: Threat Intelligence is a Process
Source: Aberdeen, October 2019
Collect Sources of data about threats, vulnerabilities, indicators of compromise, and so on are superabundant — which is why identifying those which are most relevant to protecting the confidentiality, integrity, and availability of your organization’s highest-value resources (aka “crown jewels”) is an important precursor to any successful Threat Intelligence initiative. In other words: Security governance should drive the requirements and priorities for the security data you need, based on a risk-based approach.
Once identified, the data that’s relevant to your organization needs to be collected from multiple sources, and integrated. Common examples include:
Security Governance:
Define strategy (planning)
Set policies
Allocate resources
Own accountability (results)
Security Management:
Execute strategy (operations)
Enforce policies
Deploy resources
Own responsibility (actions)
3
3
Internal sources such as the logs that continuously record information about the events that take place throughout your organization’s computing infrastructure (e.g., network devices, servers, virtual machines, endpoints, operating systems, applications, and databases), and the log, information, event, flow, and session data being generated by your organization’s existing security solutions (e.g., vulnerability scanning solutions, intrusion detection and prevention systems, endpoint security solutions, identity and access management systems, and so on).
External sources, which range from publicly available databases of vulnerabilities, exposures, and exploits (e.g., CVE, NVD, Exploit Database, and various vendor-curated offerings), to solution provider research and data feeds; industry organizations; government-led initiatives; security-focused websites, social channels, forums, and discussions; media (news, blogs); and the dark web.
Process Whether derived from technologies or humans, such data comes in a wide variety of formats — from raw and unstructured, to enriched and consistently packaged. To be useful, the data you’ve collected and integrated must then be processed — which may include normalization, correlation, verification, enrichment, and risk-based prioritization. Perhaps most importantly, threat intelligence must also be framed in the specific context of your organization’s business environment.
Ideally, such processing is done in a highly automated manner, to allow your analysts to maximize the time they spend on higher-value activities:
For tasks that are currently being done by humans, automation and orchestration are essential for faster performance, higher scale, lower total cost, increased consistency, and reduced human error
For tasks that humans are less capable of doing, automation and orchestration are essential to keep up with increasing complexity, keep up with much higher volume, operate at much faster speed, and differentiate more accurately between normal versus abnormal activities and behaviors
Leading solution providers are incorporating advanced analytics capabilities — increasingly augmented by AI and ML technologies —
AI: Artificial Intelligence
ML: Machine Learning
Aberdeen’s analysis of
online research activities
found that Small (<1K
employees) businesses
were 41% more likely
than Large (>1K)
enterprises to be focused
on the technical
processing aspects of
Threat Intelligence
initiatives — as compared
to establishing a solid
foundation by identifying,
collecting, and integrating
the most relevant sources
of security data.
4
4
within the Threat Intelligence value chain, to help defenders overcome what otherwise has become a no-win scenario against their attackers.
Analyze Contextualized threat intelligence must then be analyzed, to uncover insights about what’s happening — and to develop recommended actions for what should be done about it. Recommended actions may range from tactical (e.g., investigation, containment, remediation to a pre-incident state) to strategic (e.g., identification of additional security controls or changes in policy, allocation of existing or incremental resources).
This is where many Threat Intelligence initiatives encounter an all-too-common failure mode: an overwhelming mountain of raw and partially relevant data, which results in an underwhelming molehill of context-specific analysis and actionable insight.
Again, this is why automation and orchestration in the upstream aspects of the value chain (collection, integration, processing) have also become essential capabilities for top performance in the downstream aspects (analysis, communication) of successful Threat Intelligence initiatives.
Figure 2 provides empirical evidence of how defender performance using previous approaches has consistently been too little, too late to keep up with that of the attackers: Enterprises take a median of more than 100 days to detect a compromise, with a 10% likelihood of more than 4 years.
Figure 2: Enterprises Have Taken a Median of >100 Days to Detect an Attacker Compromise, with a 10% Likelihood of Taking >4 Years
Source: Data adapted from Mandiant M-Trends 2018; Aberdeen, October 2019
2011
, 416
2012
, 243
2013
, 229
2014
, 205
2015
, 146
2016
, 99
R² = 0.9636
0%
25%
50%
75%
100%
0 500 1,000 1,500 2,000
Atta
cker
Dw
ell T
ime
Exce
edan
ce C
urve
(Y
% Li
kely
for A
ttac
ker D
wel
l Tim
es >
X d
ays)
Attacker Dwell Time (Time to Compromise + Time to Detect) (days)
Median: 101 days (about 14-15 weeks) in 2017
worst case = years
best case = seconds
"Long tail:" > 4 years
Automation: Self-running of a single process or workflow
Orchestration: Coordination and self-running of multiple processes or workflows.
Why automation and
orchestration matters:
The global median for
Attacker Dwell Time —
i.e., time to compromise
by attackers, plus time to
detect by defenders —
was about 101 days
(14 to 15 weeks) in 2017,
with a “long tail” of more than four years.
Defender performance
using previous
approaches has
consistently been too
little, too late.
5
5
Share Most importantly, the insights and actions generated by your Threat Intelligence initiative must be effectively shared with the people and teams throughout your organization who will use it to help inform their decisions. As with any effective communication, this requires knowing your audience(s) — so you can personalize the information you provide for each of them, based on factors such as:
What role they have, and how the information you provide can help them to make better-informed decisions
What information they need, and how often they need it
What format / medium for receiving information is most convenient
What mechanisms for clarifications and questions are most helpful
In other words: Find out what they want, and how they want it, and give it to them just that way.
With this in mind, let’s consider who are some of the key people and teams that your organization’s Threat Intelligence initiative can support.
Threat Intelligence Serves Multiple People and Teams
In practice, successful Threat Intelligence initiatives generate insights and actions that can help to inform the decisions — both tactical, and strategic — of multiple people and teams, throughout your organization (see Figure 3).
Figure 3: Threat Intelligence Serves Multiple People and Teams
Source: Aberdeen, October 2019
6
6
The beneficiaries of such insights and actions include:
Level 1 analysts — for example, to support the real-time monitoring, detection, initial investigation, and escalation that takes place in the Security Operations Center.
Level 2 / 3 analysts — for example, to support the in-depth prioritization, investigation, containment, and remediation of an Incident Response team; and the proactive efforts of experts on Threat Hunting and Counter Fraud teams.
Operational leaders — for example, to help the leaders of Security Operations and IT Operations guide and prioritize the day-to-day actions and activities of their respective technical staff.
Strategic leaders — for example, to help Chief Information Security Officers and other senior leaders to allocate resources and make better-informed business decisions about managing cyber security-related risks to an acceptable level.
In Figure 3, notice also how your Threat Intelligence initiative can make valuable contributions in multiple dimensions of time — from real-time (e.g., in the Security Operations Center), to responsive / backward-looking (e.g., in Incident Response and IT Operations), to proactive / forward-looking (e.g., Threat Hunting, Counter Fraud, and Security Governance).
Ultimately, Threat Intelligence is About Managing Your Risks
The principal business value of your organization’s Threat Intelligence initiative is to help make better-informed business decisions about your security-related risks (see Figure 4).
Figure 4: Threat Intelligence is About Managing Your Risks
Source: Aberdeen, October 2019
Threat Intelligence initiatives can make valuable contributions in multiple dimensions of time:
Real-time (e.g., Security Ops)
Responsive (e.g., Incident Response, IT Ops)
Proactive (e.g., Threat Hunting, Counter Fraud, Security Governance)
7
7
It’s important to note that this includes not only the traditional, technical focus of protecting against the negative business impact that may result from a loss of confidentiality, integrity, or availability of your information resources. These are sometimes referred to as “unrewarded” risks, in the sense that they’re primarily focused on dealing with potential downside.
In addition, Threat Intelligence initiatives can also support the business-oriented focus of enabling the positive business impact from the organization’s strategic initiatives — including high-profile areas such as digital transformation, productivity, and collaboration. These are sometimes referred to as “rewarded” risks (or more commonly, opportunities), in the sense that they’re primarily focused on achieving potential upside.
Whether rewarded or unrewarded, there are inherent uncertainties about both the likelihood and magnitude of the outcomes — which is precisely what makes them risks, as opposed to facts.
Not all risks need to be addressed. Risks can be:
Avoided (e.g., by not undertaking a given initiative at all)
Accepted (e.g., proceed as planned)
Transferred to other parties (e.g., through contractual means, or through insurance)
Managed to an acceptable level (e.g., through an investment in an appropriate mix of controls and countermeasures).
A great many security professionals firmly believe in their hearts — mistakenly — that their fundamental purpose is to counter all threats, remediate all vulnerabilities, and mitigate all risks. On the contrary, however, their fundamental purpose is to manage security-related risks to a level that the organization’s senior leadership team (which owns the risk) deems to be acceptable.
As a specific example: Based on publicly available empirical data for the likelihood, size, and total business impact of a data breach in the private sector, Aberdeen’s straightforward Monte Carlo analysis provides quantitative insights for the annualized risk of a data breach in a way that’s actually helpful for making a better-informed business decision:
A median total business impact of about $500K
Potential responses to risk
Avoid (e.g., don’t try)
Accept
Transfer
Manage to an acceptable level (e.g., through an investment in an effective Threat Intelligence initiative)
8
8
A 90% likelihood of experiencing at least some business impact, and a 10% likelihood that the total business impact could be more than $1.8B — the latter is the “long tail” of risk that is so important to help the senior leadership team to understand, as this is typically the area of the risk curve where decisions get made.
To the extent that the senior leadership team deems this level of risk to be unacceptably high, we can now have a meaningful business discussion about how an investment in a Threat Intelligence initiative can help to reduce that risk to an acceptable level.
The connections between technical activities and business value for your Threat Intelligence initiative are summarized in Figure 5.
Figure 5: A Threat Intelligence Strategy Map — Making the Connection Between Technical Activities and Business Value
Source: Aberdeen, October 2019
9
9
Some readers may notice that Figure 5 is a simplified application of the well-known Balanced Scorecard framework, which, since 1992, has helped organizations of all types to describe, communicate, and execute their strategies more effectively by focusing on the cause-and-effect relationships between activities and outcomes.
Summary and Key Takeaways
Data about threats, vulnerabilities, indicators of compromise, and so on provides the essential foundation for your organization’s Threat Intelligence initiative, but it’s only the beginning of a higher-level value chain:
The data that’s relevant to your organization needs to be collected from multiple sources, and integrated.
To be useful, the data you’ve integrated must then be processed — ideally, in an automated manner — to be put into the specific context of your organization’s business environment.
Contextualized information must then be analyzed, to uncover insights about what’s happening — and to develop recommended actions for what should be done about it.
Most importantly, these insights and actions need to be effectively shared with the people and teams throughout your organization, who will use it to inform their decisions.
In practice, successful Threat Intelligence initiatives generate insights and actions that can help to inform the decisions of multiple people and teams, throughout your organization, including:
Level 1 analysts — for example, to support the real-time monitoring, detection, initial investigation, and escalation that takes place in the Security Operations Center.
Level 2 / 3 analysts — for example, to support the in-depth prioritization, investigation, containment, and remediation of an Incident Response team; and the proactive efforts of experts on Threat Hunting and Counter Fraud teams.
10
10
Operational leaders — for example, to help the leaders of Security Operations and IT Operations guide and prioritize the day-to-day actions and activities of their respective technical staff.
Strategic leaders — for example, to help Chief Information Security Officers and other senior leaders to allocate resources and make better-informed business decisions about managing cyber security-related risks to an acceptable level.
In these ways, your Threat Intelligence initiative is effectively supporting both of the dual roles of modern security and risk professionals:
Subject-Matter Experts, who are increasingly called upon to be business-oriented technologists, and
Trusted Advisors, who are increasingly required to be tech-savvy businesspeople.
Ultimately, the value of your organization’s Threat Intelligence initiative is to help the senior leadership team make better-informed business decisions about your security-related risks:
Unrewarded risks: These include the traditional, technical focus of protecting against the negative business impact that may result from a loss of confidentiality, integrity, or availability of your information resources.
Rewarded risks (or more commonly, opportunities): Threat Intelligence initiatives can also support the business-oriented focus of enabling the positive business impact from the organization’s strategic initiatives — in high-profile areas such as digital transformation, productivity, and collaboration.
Whether rewarded or unrewarded, there are inherent uncertainties about both the likelihood and magnitude of the outcomes — which is precisely what makes them risks, as opposed to facts.
Not all risks need to be addressed. Responses to risk include avoid, accept, transfer to other parties, or manage to an acceptable level — e.g., by making an investment in an effective Threat Intelligence initiative.
11
11
Related Research
Defeating the Kobayashi Maru Scenario of Cybersecurity: It’s Time for a Change; November 2018
The Business Value of a Security Monitoring and Analytics Platform; September 2018
Managing Complex, Virtualized Computing Infrastructure: “2 Out of 3” Is Not Enough; June 2017
Quantifying the Value of Time in Threat Detection and Incident Response; February 2017
About Aberdeen Group
Since 1988, Aberdeen Group has published research that helps businesses worldwide to improve their performance. Our analysts derive fact-based, vendor-neutral insights from a proprietary analytical framework, which identifies Best-in-Class organizations from primary research conducted with industry practitioners. The resulting research content is used by hundreds of thousands of business professionals to drive smarter decision-making and improve business strategies. Aberdeen Group is headquartered in Waltham, Massachusetts, USA.
This document is the result of primary research performed by Aberdeen Group and represents the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group.
29714
