SAN FRANCISCO -- According to one Forrester Research Inc. analyst, threat intelligence, like potty training, is a high-risk proposition that will likely yield its share of messes, but if staffing and technology challenges can be overcome, the rewards will be worth it.
During a Tuesday session at RSA Conference 2015, entitled "Threat Intelligence is Like Three-Day Potty Training," Forrester Principal Analyst Rick Holland used the analogy to highlight how threat intelligence is increasingly becoming a requirement for enterprises, but building a program and advancing it to the point where it supports an organization's strategic objectives often takes much longer than anticipated.
Citing data from Forrester's 2014 global security survey, Holland said that for the past two years more than three-quarters of North American enterprises said establishing or improving threat intelligence was a priority in the next 12 months.
Holland said he's been working with a number of enterprises that have been building threat intelligence programs for several years, and over that time developed a threat intelligence maturity model that highlights what the program is capable of doing, which is important because not all programs are equal.
"Just because you have a threat intelligence program," Holland said, "doesn't mean that you're going to solve all your problems."
Levels of intelligence
The maturity model starts with "head in the sand" companies that haven't initiated threat intelligence programs yet, often because they think attackers aren't targeting them.
Second comes what Holland called the "Pac-Man" organizations that are just getting started, often by trying to consume as many different information sources as possible.
From there, enterprises reach Holland's "Tacticool" stage, in which they have narrowed their sources based on their threat profile, but aren't able to measure the value of the sources thoroughly, particularly against each other.
Next is a "Tweener" level, where organizations begin to take the first steps toward a strategic program by discovering how to vet the value of intelligence sources and tie it back to the broader security program.
The penultimate stage, what Holland mockingly called "Strategery," is where organizations finally use threat intelligence to consistently make informed business decisions.
Only the most advanced organizations make it to the final level, "Enlightenment," after they've worked with threat intelligence for years and found their own ways to innovate.
Unfortunately, Holland said, most organizations underestimate the amount of time it takes to advance the maturity of a threat intelligence program. Based on in-depth interviews he's conducted with nearly two dozen organizations using threat intelligence, he said it often takes 12 months to get a basic program off the ground and 18 to 24 months to begin to adopt a more strategic approach; a fully strategic program can take up to four years to build.
Attendee Ryan Eads, director of incident management and threat assessment for Navient, said he was surprised threat intelligence capabilities have matured to that extent, given most enterprises either have just started working with threat intelligence or haven't yet begun to do so.
The price of intelligence
Holland noted that threat intelligence programs are expensive.
"'Tacticool' will cost in the low seven figures, and on the other end I have one financial services company that's spending $20 million on threat intelligence," Holland said. "Of course, organizations can step up their maturity much faster, depending on the resources you have."
Several other elements add further risk to the proposition of building an enterprise threat intelligence program. Foremost among them, Holland said, is the reality that successful threat intelligence programs require special staffing, and these hires must not only be highly trained, but also highly compensated.
Because recruiting these people is especially challenging, Holland recommended taking special action, such as developing a footprint in communities where military units are based. Participating in industry groups there and developing relationships with military and government personnel, he said, lays the groundwork for hiring them when their military or government obligations are complete.
Holland also advocated not only reaching out to local colleges and universities with cybersecurity programs, but also joining their boards of directors. That way, he said, it's possible to have direct influence over the extent to which those programs include disciplines like threat intelligence, creating a pipeline of entry-level personnel to staff an enterprise threat intel program.
Once those employees are on board, Holland advised working with human resources leaders to make exceptions to standard limits on compensation increases; the reality, he added, is that those workers will get scooped up by someone else if they don't get annual raises of at least 10%.
"If you lose those people, [your program] will take a step back," Holland said. "I talked to a customer that rated itself in the 'Tweener' stage, but lost three people, and then they slid back down to the 'Tacticool' stage -- they felt it would take another 12 months to get back to where they were."
Sources of intelligence
Another issue is that the vendor landscape is growing quickly, already separating itself into a variety of different types of intelligence providers -- open source, human, low-level technical, adversary, vulnerability and an emerging group of strategic vendors including SurfWatch Labs and Cytegic -- as well as platform providers, data enrichment providers and integration specialists.
Holland highly recommended investing in a threat intelligence platform to ease integration.
"It can be overwhelming. It's more than management; it's analysis and integration, so with a platform you can do integration through one point," Holland said. "It's like your quarterback managing the middle of the field."
Furthermore, Holland said not all products offer standardized threat intelligence data, complicating integration further. Fortunately, though, a growing number of vendors are starting to use the emerging Structured Threat Information Expression standard to foster greater interoperability.
On top of those issues, Holland said many organizations make key mistakes that hinder their threat intelligence programs before they're ever operational.
One, he said, is that organizations fail to realize that their best source of threat intelligence is their own security incidents; hence, an enterprise must put the work in to discover and analyze its own threat data before investing in external sources.
Also, Holland added, too many organizations seek to share threat intelligence with others before they're able to consistently take action on the data they gather and consume.
Get smarter faster
In summarizing recommendations for organizations looking to get started with threat intelligence, Holland said the first steps should be to conduct a gap analysis to determine the organization's security-related data-collection capabilities in regard to endpoints, networks, cloud and third parties. He also advised building dossiers on past security incidents, noting that many organizations use simple spreadsheets or SharePoint sites to do this.
Later, he said an organization should define its intelligence needs based on its threat profile, and then develop a strategy to recruit, train and retain the staff that will be needed.
Holland said that while successful threat intelligence programs are proving to be impressive assets to the enterprises with mature programs, those organizations looking to get started must be mindful of the risks.
"If you make the wrong decisions when making these investments," Holland said, "they could come back to get you."
Why threat intelligence is a necessity for the enterprise
Learn more about how threat intelligence plays into a global risk assessment
How to assign values in IT security risk assessment