Threat Intelligence Sharing: Is Your Enterprise Ready?

Shawn Drew By Shawn Drew
August 25, 2015

There's little wonder why the concept of threat-information sharing is becoming so popular: It represents a state where security professionals can share and access real-time threat information, greatly increasing their ability to respond to emerging threats.

But while the concept of open threat intelligence is gaining significant traction, the movement is still truly in its infancy. Enterprise CISOs need to understand where this trend stands in order to better prepare intelligence efforts within their organizations.

The Industry's New Buzzword

The recent surge toward open technologies has allowed ideas to flourish — ideas that, not too long ago, seemed more flights of fancy than actual possibilities. True threat intelligence is one such concept, as the barriers of secrecy surrounding IT departments begin to wither away under pressure from openness and productivity.

There's little doubt that at one point or another, every security professional has thought about a platform where those within the industry can share information regarding attacks, threats and even ideas on how to better prevent cybercrime. The information gleaned from such a repository can save thousands of hours of investigation into new attacks, and can be combined with advanced analytics to predict trends across an industry — or even the world.

But of course, threat intelligence doesn't require openness, and that's part of its current problem. As this ESG report points out, the majority of intelligence programs are built around consuming existing information. Right now, that's holding everything back.

The Real State of Information Sharing

According to ESG, the vast majority of enterprises have some sort of security intelligence program within their organizations, with 43 percent of survey respondents rating their program as "very mature." But the report also finds a number of faults within these programs.

First, they exist without the tools that have automated the rest of the IT department. Reliance on manual processes not only reduces the cost/benefit effectiveness of these programs, but also prevents the intelligence from receiving the benefits of advanced analytics. Another aspect of this issue can be seen in how intelligence programs interact with the rest of an enterprise: IT still hasn't fully integrated these programs into the communication, collaboration and other IT workflows, which greatly reduces a program's overall impact.

Perhaps the largest issue of all, however, is that the majority of advances being made within this sector concern consumption, rather than sharing. There are indeed a number of places to get security intelligence, but this pales in comparison to the amount of sheer knowledge that's currently locked away within individual organizations. Some sharing is constantly taking place, but at the moment it's far more likely for information to be shared off-line with trusted associates than with the industry at large. In order for the technology industry to get serious about security intelligence, it has to find a way to get people sharing, rather than just consuming, information.

CISO Best Practices for Adoption

Despite its issues, threat intelligence — both at the organizational and industry-wide level — remains one of the most promising concepts within InfoSec. Granted, even a fully mature model may have issues, such as nefarious actors gaining visibility into the stream of shared data, but the overall benefits far outweigh the risks.

CISOs have to realize that, given the recent rates of change, their InfoSec efforts in five years will look nothing like they do today, and threat intelligence is a big part of that. For those organizations that have not initiated some sort of security intelligence operation, now is an excellent time to start. For those already on the path, the focus should be on solving any issues with consumption and deployment, and then moving toward an open, shared solution.

For CISOs, the first major hurdle will concern the integration of threat intelligence with existing workflows. Time must be taken to learn how IT departments currently consume information, whether it's through the use of collaborative tools, e-mail or even verbal interaction. The CISO can then decide on either how to integrate security intelligence into that system, or how to develop a better communication system using that intelligence as the starting point.

CISOs must then develop new solutions, or transform existing solutions, to gain insight from the newly collected data without having to devote actual personnel to just that task. Finally, once information is flowing into, and then through, the organization, CISOs can turn to having it flow out. As more and more organizations grow mature in this manner, the overall ability for the industry as a whole to fight cybercrime will rise exponentially.

Want to keep a few more tips in your pocket? Check out The New CISO's Tool Kit. With insights, white papers, infographics and Gartner research reports, it's a great resource for new and veteran CISOs alike.

Shawn Drew has spent the last five years helping businesses understand the difference that technology can make for their internal processes, external connections, and bottom line. He specializes in all things cloud computing and security, and hopes to impart some knowledge on how the two can be combined to enhance the inherent benefits of each. His work has been published on the websites and blogs of a number of technology industry leaders, such as IBM, Veracode and Boundary.