There's general agreement on, or at least universal lip-service paid to, the importance of threat intelligence to effective cybersecurity. But actually using it effectively has often proven problematic in practice. A panel at SINET ITSEF on March 28, 2017, put the question this way, "Finding the threat intel needle in a hay stack of needles, prioritizing it and making it actionable—what is the level of maturity with this?"
Chaired by David Zilberman (Managing Director, Comcast Ventures), the panel included Lynda Grindstaff (Senior Director of Innovation Pipeline, Intel Security), Rick Holland (Vice President of Strategy, Digital Shadows), Tom Pageler (Chief Risk Officer and Chief Security Officer, Neustar), and Mario Vuksan (Founder and Chief Executive Officer, Reversing Labs).
Intelligence should cut through fog, not create it
The panel agreed at the outset that there was a fog-of-war problem, with too much focus on indicators and insufficient attention paid to analysis.
Zilberman put the question simply: is there too much intelligence? And he received a simple answer from Pageler: yes. Holland thought there was a good chance the sector would see more threat intelligence outsourcing, and possibly mergers of SOC-as-a-service-providers. The consensus among the panelists was that such consolidation and outsourcing was probably inevitable, given the scarcity and consequent expense of the relevant talent.
Human jobs and machine jobs
Zilberman asked for the panel's views on the demarcation between human and automated functions. Holland thought machines should be used as filters. Vuksan said, "Automation is for no-brainer decisions." You involve humans when and where the rules of the game change, since this is where automation breaks down. It's important to know when this becomes necessary, since in practice it can prove difficult for a team to override an automated tool. Holland agreed. Automation isn't strong artificial intelligence, at least not yet.
Sharing, and when to do it
Pageler observed that "sharing has been treated as a panacea." Techniques, he argued, are more profitably shared than are indicators. There's also a need to establish trust when you're sharing information, Vuksan pointed out. "Much sharing is just collection, post factum."
And in any enterprise there's always the question of expressing return-on-investment (ROI). The panel thought it was often useful to express ROI in terms of headcount reduction. Make it clear as well that you're not simply sharing indicators, and don't show up only once an intrusion or a material weakness has been uncovered. Explain what bad consequences have been averted through the application of intelligence.