Security Experts:

Do You Need a Threat Intelligence Team?

I have the great opportunity to spend time with CSOs and IT executives to understand their cybersecurity concerns and help them map out a strategy for success. An increasingly common question I’ve been hearing is, “Does my organization need a threat intelligence team?” Adding threat intelligence capabilities to your organization can be valuable, with their ability to hunt for advanced attacks; profile never-before-seen malware, campaigns or adversaries; and really think like an attacker. However, the number of organizations with their own dedicated threat intelligence team is quite low today, with some very good reasons behind this trend.

The fact is that in-house threat intelligence teams are rare because of the difficulty and cost of identifying and hiring qualified staff. In the grand scheme of things, cybersecurity itself is a relatively new industry, and the number of highly technical threat analysts is still low. The fact is, the number of open security jobs is far greater than the number of candidates, something many of you experience on a daily basis when trying to fill your open positions. For example, most universities don’t offer a cybersecurity major, and many people currently pursuing computer science fields are not aware of the potential opportunity in front of them.

Today’s threat intelligence analysts learned what they know through hands-on work in related computing fields and/or years of experience on the IT frontlines. With threat intelligence analysts in short supply, the demand for their services keeps their salaries high and beyond the budgets of all but the largest organizations.

So my answer to the threat intelligence team question mentioned above usually consists of several more questions:  What is your organization’s current security posture? Are you automatically preventing attacks before they can breach your network? Do you have an information security team, and do they have a proven workflow in place for handling a successful cyberattack? How are you protecting your organization’s intellectual property and high-value assets? Is your network properly segmented? If the answer to any of those questions is “no,” my advice to the customer is to get those issues addressed first, before they even begin to ponder the need for a dedicated threat intelligence team.

This isn’t to say that an organization doesn’t need threat intelligence; good intelligence plays an important role in defending against attacks. But for many organizations, the best way to get value from threat intelligence is by ensuring their security platforms can natively consume and enforce protections derived from it. When you exist in a world where attacks are generated at machine scale, you must ensure you can automate as much of the creation, sharing, ingestion and application of threat intelligence as possible. The desired end state is preventing the majority of attacks, identifying targeted threats, and ensuring your security staff has easy access to the intelligence and context to prioritize the most critical attacks for immediate action. Inherent in this is the belief that more data doesn’t always yield better security: you need the right intelligence, delivered in a simple way.

Once you have established a good baseline for your security posture, I would advise you to start considering how to build a threat intelligence team now. It will take time to identify the right people and secure the support you need to build the team. Think about the following guidelines as you move down this path:

Support From the C-Suite

The cost involved in building a threat intelligence team is so great that most boards of directors will need assurances that the work being done is truly necessary. I would advise any CSOs considering building a threat intelligence team to make sure they can translate the benefits of their threat intelligence team’s research in a way that clearly communicates its value to the board. For instance, you want to report out threats targeting your organization and industry, and make the link between highly technical indicators of compromise and business metrics. If the board isn’t able to understand the impact that not having a threat intelligence team will have on the bottom line, they’re less likely to see it as worth the cost.

Cybersecurity and Threat Intelligence Are Different Disciplines

Don’t expect to plug a cybersecurity specialist into the role of threat intelligence analyst, as the jobs require different skill sets. An example I use to illustrate the difference is scientists and engineers. Scientists, like threat intelligence analysts, spend much of their time researching a subject over time to learn its behavior, motivation and technique. They then publish their findings so others can apply that research in a practical way. Engineers, like cybersecurity specialists, apply the knowledge gained by scientists to the real world by building machines or writing code to produce the desired effect and then maintaining that machine or code over time. Be aware of the difference when staffing up your threat intel team. Not everyone in cybersecurity is meant to be a threat analyst and vice versa.

Good Intel Is Hard to Find

This is a topic I’ve addressed before, but there are a lot of different threat intelligence feeds available today and each of them claims to provide the best, most comprehensive intel on the latest cyberthreats. In an effort to make sure they don’t miss hearing about the latest threat, threat intelligence teams will subscribe to multiple intelligence feeds. But in the intelligence game, it’s quality, not quantity that counts. The value of any threat intel is in its applicability to your network. For example, if you’re organization is responsible for cybersecurity at a large manufacturing facility, you need to be concentrating your threat intelligence spend on feeds that specifically track manufacturing cyberthreats. This will allow you to focus on the threats most likely to impact the organization, and it will free up the budget spent on unnecessary feeds for better use elsewhere.

view counter
Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.