As our global economy continues to expand and evolve in its use of technology, it also builds its dependence upon the digital infrastructure that underpins that growth. We see companies around the globe making great advances in their core businesses and at the same time we see them increasingly struggle with securely operating their digital infrastructure and data, complying with a myriad of regulations, and managing the risks that are inherent with in our connected world.
The risks that come with this dependence on digital infrastructure create new threats to core businesses that every company in the world is struggling to manage. Many of the traditional ways to identify and manage risk, focus on the internal operations, infrastructure, and security controls. More sophisticated organizations also use an understanding of the impact a cyber incident may have on their business operations, brand, and bottom line.
However, most risk management programs overlook the fact that the adversary gets a vote. Every incident and threat that companies face today comes from an intelligent set of adversaries who will evolve in order to continue to achieve their malicious goals. Those adversaries have their own particular set of priorities, inclinations, and methods of achieving their goals and will target different industries and individual organizations in many different ways.
The burning question then becomes why hasn’t the intelligence that we have about adversaries been embedded into risk management programs? To be fair, threat intelligence is increasingly being used in operations to prioritize actions that machines and analysts take and to shape the priorities of cybersecurity teams. However, as one moves up the corporate chain, intelligence about adversaries is not used as extensively as in security operations.
To effectively use cyber threat intelligence in risk management it can be injected at three different levels; the analyst level, CISO/security team leadership level, and the C-suite/board level.
The analyst level is where we see the most mature and extensive use of threat intelligence to manage risks. While some may say intelligence is a part of normal cybersecurity operations it also provides mechanism to prioritize efforts and focus on the biggest risks first. For example, a security operations center analyst can use intelligence to prioritize tickets that he or she must analyze.
It can also be used to prioritize patching. Intelligence that provides information about what vulnerabilities are actively being exploited can be used to help decide which patches should be applied first. In this way, threat intelligence can be used to allocate the most valuable resource any security team has, analyst time and skill, to the most pressing issues first.
However, if organizations focus only on the day to day operational issues they will often miss the bigger picture and the opportunities to implement more proactive cybersecurity. CISOs and other leaders in security teams can use cyber threat intelligence to transition from a purely internal view, to a proactive security posture by using threat intelligence to help identify malicious trends that impact their particular organization or industry.
These insights should inform where they may allocate current resources. For example, if phishing is the primary vector that the company is being attacked through, then having analysts examine the events associated with email could be prioritized over other potential projects.
Intelligence driven risk management has made great in-roads in cybersecurity organizations; however, it is not widely used at the business level. Most enterprise risk management programs are driven at the corporate level grew out of safety, industrial, compliance, and financial risk. These programs often have evolved to also capture cyber risks but generally don’t consider an intelligent and evolving adversary.
Understanding the strategic threat landscape that an individual company faces is extremely important element of corporate strategy and risk management. Strategic intelligence can be leveraged to help draw a clear understanding of the risks that the threat environment poses to the core business of a company.
For example, in NTT Security’s Global Threat Intelligence Report (GTIR), we saw a trend in increasing attacks against technology companies, most likely to access another targeted supply chain. Armed with this type of intelligence a company’s technology strategy should consider how they might be considered an avenue of attack to another company and the liability associated with that.
Another example would be to use intelligence to understand trends in new service offerings. In the GTIR we also saw a trend in attacks against professional services companies with the likely reason to access those companies’ client data. Armed with this type of intelligence companies considering service offerings that retain sensitive client data can make more appropriate decisions regarding the level of security they may want to implement.
In our global and interconnected world all cybersecurity should be a multi-layered strategy that is a core part of a broader risk management program. However, that risk management program must take into account the dynamic nature of the cybersecurity and our adaptive adversaries. By using cyber threat intelligence at multiple layers, companies can improve their understanding of the risks, where they may evolve, and how to mitigate them.