ACHIEVING THE VALUE OF THREAT INTELLIGENCE:

Transcription

1 ACHIEVING THE VALUE OF THREAT INTELLIGENCE: BY ANDREW KOMAROV CHIEF INTELLIGENCE OFFICER INFOARMOR, INC.

2 Achieving the Value of Threat Intelligence: Today s cyber landscape is more sophisticated than ever before. To navigate it safely and ensure your business and customers are properly protected, you need to understand what type of threats are out there and what risks they pose to you. This is where threat intelligence comes into play. Despite the millions of attacks that happen each day, not all threats are created equal. But it is this overwhelming number of attacks that bad actors count on to cause confusion and paranoia. Putting this into perspective, for its 2016 Data Breach Investigations Report, Verizon used a dataset of 64,199 security incidents and 2,260 data breaches. It is a game of cat and mouse, and the bad guys are winning. The reality is that not every attack vector is pertinent to your organization. Determining which ones are relevant and aligning resources to focus in on those attack vectors where the real value in threat intelligence takes shape. To get the most out of threat intelligence, organizations must be able to customize and shape the information they collect and analyze, and compare that against their unique environment. Relying on generic data feeds will add confusion to your protection efforts and therefore obfuscate what is most important. Many organizations are challenged by sifting through the enormous amount of available data to find what is pertinent to them, which creates a huge burden for already constrained IT security resources. Data breaches have gained widespread attention as businesses of all sizes become increasingly reliant on digital data, cloud computing, and workforce mobility. With sensitive business data stored on local machines, on enterprise databases and on cloud servers, breaching a company s data has become as simple or as complex as gaining access to restricted networks. These attacks show no signs of slowing down. Here is a list of some of the more memorable breaches over the last 10 years. TK/TJ Maxx: 94 million records compromised in 2007 Sony PlayStation Network: 77 million records compromised in 2010 Sony Online Entertainment: 24.6 million records compromised in 2011 Evernote: 50 million records compromised in 2013 Living Social: 50 million records compromised in 2013 Target: 70 million records compromised in 2013 ebay: 145 million records compromised in 2014 Home Depot: 56 million records compromised in 2014 JP Morgan Chase: 76 million records compromised in 2014 Anthem: 80 million records compromised in 2015 OPM: 21 million records compromised in 2015 IRS: 700,000 records compromised in Service Providers: 270 million records compromised in 2016 Banner Healthcare: 3.7 million records compromised in

3 THE NECESSITY OF THREAT INTELLIGENCE As alluded to above, the plethora of threats in today s cyber world is enough to overwhelm the largest and best funded organizations and governments. That is why we continue to see breach after breach. It doesn t matter how much money you throw at the problem if you don t address it strategically. For example, the average U.S. company of 1,000 employees or more spends $15 million a year battling cybercrime, according to the 2015 Ponemon Institute Cost of Cyber Crime Study yet breaches continue to happen. The dilemma for most companies is that they think they either have all that they need (with anti-virus and firewalls) in order to be protected, or they believe it will only happen to the guy next door. Unless yours is a well known and large organization, you may feel that you are not a high priority target, so the benefit of implementing a threat intelligence solution doesn t seem obviously apparent. This mindset is based on years of business models that focused on spending money on necessary line items, and on avoiding costs that don t demonstrate an immediate return on investment (ROI). Immediate satisfaction is often not possible when it relates to cybersecurity. Whether yours is a larger corporation or a smaller business, the internet has created a threat landscape that affects all organizations. The mindset needs to shift from I am not a target to when I become a target I need to be ready. Think of threat intelligence from an insurance standpoint. Companies pay for all sorts of insurance, with the hope that they never have to cash in on those policies. While they may never need to use that insurance, if they didn t have it and something was to happen, the resultant financial stresses could be disastrous for the business. The same can be said for cybersecurity. Ask yourself: what is the value of my business or its reputation if our organization becomes a victim of a breach or ransomware event? For many, a significant breach could mean the failure of the business. A recent Ponemon Institute study, 2016 Cost of Data Breach Study: Global Analysis, found that the average total cost of a data breach for the 383 participating companies increased from $3.79 million to $4 million over the prior year. While this is just an average, they also found that the average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 in 2015 to $158 in this year s study. So depending on how many records are stolen (note the examples above), the costs could be devastating. When put into the proper perspective, the question no longer becomes do I need threat intelligence, but rather how can I properly leverage threat intelligence to address my unique needs? (See Sidebar) According to the Ponemon Institute s The Second Annual Study on Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, threat intelligence is an increasingly important way to keep abreast of the rapidly changing threat landscape, and it will become a key component of information security over time. Furthermore, threat intelligence will be key in helping organizations overcome the limitations of traditional, reactive security controls (such as antivirus), that do little to combat advanced threats. The study also found that 75 percent of respondents believe the exchange of threat information would improve their overall security posture, and 65 percent believe it could prevent or minimize the consequences of attacks. WHILE THERE IS NO EXACT SCIENCE FOR CALCULATING THREAT INTELLIGENCE ROI, THERE ARE A FEW GENERAL GUIDELINES YOU CAN FOLLOW: Determine how many new threats you are able to now address as a result of your threat intelligence solution which previously would go unchecked.»» The ability to show a greater security posture can help lower security premiums very significantly. Given the average cost of $158 for each lost or stolen record, is the cost of your security justified by the potential money you stand to lose in case of a breach? Review your unique situation to ensure your threat intelligence solution aligns with your specific needs.»» Confirm that the threat intelligence you are receiving is viable to your organization, and not simply a general data feed. Do an audit to see if your security analysts are now more efficient at addressing alerts, or if they have become more overwhelmed.»» Freeing up analysts to focus on important matters rather than sifting through data is a key benefit of effective threat intelligence. Does your threat intelligence come with access to qualified analysts or offer investigative services? Make sure your solution comes with the appropriate support to get the most out of your threat intelligence.»» Without the ability to properly understand and act upon critical information, threat intelligence is merely useless data. But if your threat intelligence gives you the ability to stop threats and prevent exfiltration, it is invaluable and essential. As malware and ransomware attacks become more sophisticated and prevalent, the chances that your organization will fall victim to an attack is greater than ever. Increasing these odds even further (as Gartner predicts) is that there will be 6.8 3

4 billion connected devices in use in a 30 percent increase over The analyst firm goes on to forecast that by 2020 that number will jump to more than 20 billion connected devices! Having a properly implemented threat intelligence solution allows companies to address these challenges and reduce their security spend by focusing efforts on the threats that constitute the most risk. Case in point: according to Symantec, Crypto-style ransomware grew 35 percent in An extremely profitable type of attack, ransomware will continue to ensnare PC users and expand to any network-connected device that can be held hostage for a profit. But just because ransomware is on the rise does not necessarily mean that it is a threat to your organization. By customizing your threat intelligence to your company, you can eliminate the shotgun process of security and hone in on the areas that matter the most, significantly reducing the amount of data to be analyzed, as well as the costs associated with your security program. AVERAGE U.S. COMPANY OF 1,000 EMPLOYEES OR MORE SPENDS $15 MILLION A YEAR BATTLING CYBERCRIME NOT ALL THREAT INTELLIGENCE IS CREATED EQUAL The fact that threat intelligence has achieved buzzword status is both good and bad. The good news is that people are talking about it it is a critical component of a cyber risk management program. The bad news, however, is that too many providers have distorted and confused the term, so much so that its meaning varies widely. This fact is taking away from the real value of legitimate threat intelligence. Forrester defines threat intelligence as: The details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence s primary purpose is to inform business decisions regarding the risks and implications associated with threats. Be careful when evaluating a threat intelligence solution; there is a lot of snake oil out there. Most suppliers fall far short of delivering the operatively-sourced intelligence needed for enterprises to take preemptive action against a full spectrum of targeted attacks. Fundamentally, most do not effectively bridge the gap between verified data and emerging enterprise attacks. To deliver on the true meaning of threat intelligence, solutions must both provide specialized cyber security services, and realtime, client-specific alerts to protect networks and prevent unwanted data exfiltration. A simple data feed is not the answer. Your threat intelligence solution must be able to take into account the latest trends and new activities, and tie them to specific threat actors for attribution, as well as other exploits that may pose a direct or peripheral risk to the organization. Two other key elements overlooked by less capable providers are access to security analysts for addressing specific needs, and the ability to provide specialty investigative services. Having access to a data feed is great, but what happens when anomalies occur which raise more questions than answers? Being able to turn to trained security analysts, and receive targeted detailed investigative services becomes a critical asset in assuring you re getting the most out of your threat intelligence. 4

5 KNOWLEDGE IS POWER All the security solutions in the world won t do you any good unless you know how to best utilize them and draw upon each of their strengths. This is what makes threat intelligence such an invaluable tool in the fight against cybercrime. How you collect and use threat intelligence depends on who you are as an organization. The ultimate goal for any organization looking at threat intelligence solutions is to obtain actionable intelligence. If all you re getting is a simple data feed that is not being evaluated and validated, you re only receiving useless raw information. Without the proper context you can t put this information to work, and that is where longterm value from threat intelligence is truly realized giving an organization the ability to drive change. This change can be seen in how the SOC prioritizes and responds to alerts, how users evaluate and react to phishing s, or how decision makers and executives invest in a security program and prioritize long-term security projects. If all you re getting is a simple data feed that is not being evaluated and validated, you re only receiving useless raw information. The trap that many vendors and cybersecurity professionals unknowingly fall into is that information and intelligence are not the same thing. More information exists than anyone can possibly distill, analyze, and use to quickly make sound decisions. The challenge is identifying which threats have the greatest chance of significantly affecting your organization that is where effective threat intelligence comes into play. It gives you the knowledge needed to make sound decisions based on who you are as a company (such as your products, employees, software and hardware), geographical locations, industry sector, the data you store and transact and much more. By overlaying this company data and comparing your business traits against cyber threats on the horizon, you now have the capability to understand your business risk exposures based on your relevant cyber threats. The truth of the matter is that threat intelligence has little value unless it is put into context of an organization s unique security posture. Using a one size fits all solution just creates more noise and becomes more of a hindrance than a help in identifying threats. Security professionals are beginning to realize that they can t block every conceivable cyber-attack; rather, they need to focus on the most pertinent threats in order to improve their incident detection and response capabilities. The tide is finally shifting from throwing every type of security solution at the problem to stepping back and relying on threat intelligence to dictate a focused approach. 5

6 REALIZING A RETURN ON YOUR THREAT INTELLIGENCE INVESTMENT Security solutions are derived to protect companies from liabilities that can occur. In order to properly protect against the threats that are most pertinent to your organization you cannot play the guessing game. You need precise intel on the threats that will do you the most harm you can only get that from a pure threat intelligence solution. Effective threat intelligence comes down to being accurate and actionable. You can have all the data points in the world, but if you can t make sense of them or they don t pertain to your specific situation, it will do you no good. When implemented correctly, threat intelligence should act as an extension of your IT security team, saving you money by offloading the burden of security overhead without hiring additional internal resources or incurring incremental costs. Return on investment is not always black and white, but when it comes to threat intelligence there are very easy ways to identify if you are getting your money s worth. Look for feature-rich, comprehensive solutions that deliver actionable, targeted threat intelligence with context that alerts you to the potential impact of attacks before they become a direct or peripheral risk to your organization. Don t rely on massive data feeds that provide every threat under the sun. Seek out solutions that have a proven ability to search the dark web for chatter from bad actors, analyze threat data and offer a scalable solution that is geared towards keeping your business assets safe from both current and emerging threats. Protecting your corporate assets against cyber-attacks requires a combination of sophisticated technology, accurate threat intelligence data and expert strategy. When executed correctly threat intelligence allows for increased operational efficiency and faster time-to-remediation without requiring expensive consulting services. Fortunately, new technologies that take a pro-active approach to cyber risk management are emerging beyond the hype, and are enabling businesses to reap the rewards of threat intelligence and realize its true ROI significantly reducing the risks and costs associated with doing business in today s cyber world. ABOUT INFOARMOR InfoArmor offers industry-leading identity and cyber intelligence services that help our clients fight emerging fraud and advanced cyber threats. We combine an unparalleled global research network with big data analysis, actionable intelligence and customized service to meet clients dynamic security needs. From employee to enterprise, InfoArmor is redefining how organizations fight fraud and combat an evolving threat landscape to mitigate risk on multiple levels. Today, more than 600 businesses and government agencies, including 50 of the Fortune 500, use PrivacyArmor, the industry leading employee identity protection solution, or VigilanteATI, our award-winning advanced threat intelligence platform to improve their data security posture. TM For more information please visit the InfoArmor website at infoarmor.com, or contact InfoArmor sales at , or sales at ati@infoarmor.com. 6

7 / AT I. I N F OA R M O R. C O M IAATIHCWP