{"id":1518,"date":"2025-01-15T06:00:00","date_gmt":"2025-01-15T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1518"},"modified":"2025-01-15T06:00:00","modified_gmt":"2025-01-15T06:00:00","slug":"stop-wasting-money-on-ineffective-threat-intelligence-5-mistakes-to-avoid","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1518","title":{"rendered":"Stop wasting money on ineffective threat intelligence: 5 mistakes to avoid"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Strong capabilities in cyber threat intelligence (CTI) can help take a cybersecurity program to the next level on many different fronts. When organizations choose quality sources of threat intelligence that are relevant to their technology environments and their business context, these external sources can not only power swifter threat detection but also help leaders better understand their risk exposure and prioritize future security investments.<\/p>\n

CISOs and cybersecurity executives are increasingly staking their program investment goals on the promises of CTI. Recent studies<\/a> show that three in five organizations spend at least 11% to 30% of their overall cybersecurity budget on threat intelligence capabilities. That equates to $250,000 or more a year spent on threat intelligence products from external vendors by 80% of cybersecurity teams.<\/p>\n

But how much of that money is well spent? While most analysts still project security spending to rise in 2025, there are signs that CISOs are going to be called to justify and tighten the efficiency of their spend in the coming year. According to recent research by IANS<\/a>, over a third of CISOs faced flat to declining budgets in 2024 and staff growth has diminished by half compared to 2022 hiring patterns.<\/p>\n

CTI stands to drive a lot of value across threat detection, incident response, vulnerability management, and broader risk management, but it can also prove to be a money pit. The distributed nature of how threat intel is used makes it really hard to bring financial efficiency and accountability to bear on CTI. Organizations can stand to waste resources on not just bad intelligence and inadequate analysis, but also on great intelligence that isn\u2019t effectively used to change security outcomes.<\/p>\n

There\u2019s no easy answer to tracking CTI return on investment, but many threat intelligence experts say that there are some common ways CISOs can avoid the most likely sources of wasted intelligence spending. The following are five mistakes to avoid in the effort to maximize a program\u2019s efficiency.<\/p>\n

Not having a risk management program in place<\/h2>\n

To truly get value out of a comprehensive CTI program, CISOs need to lay the foundation with a solid risk management<\/a> program and the infrastructure needed to appropriately analyze and contextualize the feeds they ingest.<\/p>\n

\u201cCTI really needs to fall underneath your risk management and if you don\u2019t have a risk management program you need to identify that (as a priority),\u201d says Ken Dunham, cyber threat director for the Qualys Threat Research Unit. \u201cIt really should come down to: what are the core things you\u2019re trying to protect? Where are your crown jewels or your high value assets?\u201d<\/p>\n

Without risk management to set those priorities, organizations will not be able to appropriately set requirements for intelligence collection that will have them gather the kind of relevant sources that pertain to their most valuable assets.<\/p>\n

Additionally, CTI is most valuable when it is used to contextualize security analytics about activity occurring within an organization\u2019s infrastructure. This means organizations need to get their analytics program and their data science and data management ducks in a row to truly squeeze value out of the external intel they bring in.<\/p>\n

\u201cStrategically, balancing the lowering of TCO [total cost of ownership] with security value and time-to-value, while integrating with all important internal data sources and tools is a difficult equation,\u201d explains Balazs Greksza, threat response lead at Ontinue. \u201cSecurity is not a big data problem. In fact, it is a \u201cright\u00a0information and intelligence\u00a0at the right time\u201d problem, to come to the right conclusions.\u201d<\/p>\n

This means CISOs need to carefully think about where all the use cases for where the internal data and external intel will be contextualizing each other. Greksza says a security data lake has a much different use case than an XDR<\/a>, SIEM<\/a>, or compliance monitoring solution. This means defining clear objectives and requirements for how all of the intel and analytics data will drive better decision making. CISOs may want to lay the foundation by bringing data platform engineers on board to create a comprehensive data strategy for the SOC and beyond, he says.<\/p>\n

Relying on poor quality intel<\/h2>\n

Bad intelligence can often be worse than none, leading to a lot of time wasted by analysts to validate and contextualize poor quality feeds. Even worse, if this work isn\u2019t done appropriately, poor quality data could potentially even lead to misguided choices at the operational or strategic level. Security leaders should be tasking their intelligence team with regularly reviewing the usefulness of their sources based on a few key attributes. The typical acronym that many intelligence professionals use for this is CART, which stands for completeness, accuracy, relevance and timeliness.<\/p>\n

Completeness means that each piece of intelligence gives a full picture of the threat, including actors, methodologies and affected systems, says Callie Guenther, senior manager of cyber threat research for Critical Start. Meanwhile, accuracy is perhaps one of the most crucial elements of quality that will make or break a source\u2019s value. \u201cThe credibility and reliability of the source are paramount,\u201d she says. \u201cInaccurate intelligence can lead to false positives, wasted resources, and potential exposure to unaddressed threats.\u201d<\/p>\n

Relevance means that the intelligence is pertinent to the organizations industry, tech stack, and geographical location. And timeliness is all about ensuring that intelligence is current enough that it can make a difference in how an organization will act. Obviously, intelligence sources will often have to strike a balance between timeliness and accuracy as threat research unfolds. \u00a0<\/p>\n

Finally, Guenther would add another \u2018A\u2019 into the mix to make it CAART: actionability. \u201cIntelligence should be detailed and specific enough to drive security actions, such as tuning security devices, updating policies, or patching vulnerabilities,\u201d she says.<\/p>\n

Glazing over requirements gathering<\/h2>\n

Even more fundamental than evaluating potential intelligence sources for quality, CISOs need to be sure their teams are choosing sources that actually meet their security program and business needs. One the most common mistakes that security teams make in their threat intelligence programs is skipping right over the process of figuring out who needs what kinds of intelligence to make smart security decisions.<\/p>\n

\u201cCTI is only as effective as an organization is in receiving it. In order to build an effective CTI program, the organization at all levels must issue requirements to the intel team and be receptive to consuming intelligence to inform processes and decisions,\u201d says Dov Lerner, security research lead for Cybersixgill.<\/p>\n

This requirement gathering stage is the first step in the CTI lifecycle but it\u2019s often missed or limited to just the SOC analysts who have specific technical requirements. \u201cOrganizations may fail to define clear, actionable, and prioritized intelligence requirements, leading to irrelevant or overwhelming amounts of data,\u201d Guenther says, agreeing with Lerner that intel teams should be gathering requirements from many different types of intelligence consumers from across the business.<\/p>\n

To really get the most out of CTI investments, this will mean that CTI has to have the bandwidth and the organizational connections to engage with a range of stakeholders in security and beyond, according to Lerner. \u00a0<\/p>\n

Some organizations may want to also consider creating a program for stakeholders to request new intel. This is how Matt Hull, global head of cyber threat intelligence at NCC Group, says his firm makes requirements gathering more repeatable and consistent. NCC has a system that\u2019s almost like ticketing for intelligence requests. \u201cWe have what we call an RFI process \u2014 a request for intelligence \u2014 that\u2019s essentially a mechanism into my team that says (to stakeholders) \u2018What question do you want answering?\u2019\u201d he says. \u201cAnd then it is triaged and passed to the relevant team.\u201d<\/p>\n

Hyper focusing on tactical threat intel<\/h2>\n

One of the most common threat intel mistakes Guenther sees organizations make when they start a CTI program is overemphasizing tactical intelligence. \u201cWhile tactical intelligence is essential, focusing solely on IoCs [indicators of compromise] without strategic or operational context can lead to a reactive rather than proactive security posture,\u201d she says.<\/p>\n

Both Hull and Dunham are firm believers that the strongest CTI teams are able to collect and operational intelligence on three major fronts: tactical, operational, and strategic intelligence. The tactical intelligence follows the traditional mold of IoC and very specific pieces of technical information from malware analysis and other monitoring that could enhance threat detection. The operational intelligence moves up a layer to behavioral intelligence around tactics, techniques, and procedures (TTPs). And the strategic intelligence is the bigger picture information that ropes in context about geopolitical, industry, and business context. At NCC, Hull has three different teams that focus on each of these strands to ensure the program is hitting each area appropriately.<\/p>\n

The strategic piece is often the one that organizations tend to miss the most and this is the one that can often drive the most financial value, as strategic intel can help prioritize spending based on what\u2019s actually happening in the threat landscape. On top of that, strategic intelligence can also help CISOs prove their actions and ROI in the long run.<\/p>\n

\u201cIt\u2019s quite hard to understand what the return on investment is from a CTI capability.\u00a0 Feeding your intelligence into risk management processes is really, really useful because you\u2019re able to sort of quantify some of the inputs from your threat intelligence into risk management work,\u201d Hull says, explaining that this can start CISOs on a path toward more complex analysis around cyber risk quantification, for example.<\/p>\n

Devaluing dissemination<\/h2>\n

Even if CTI is doing an excellent job collecting the right kind of quality intelligence that its stakeholders are asking for, all that work can go for naught if it isn\u2019t appropriately routed to the people that need it \u2014 in the format that makes sense for them.<\/p>\n

\u201cOne of the areas where there can oftentimes be a struggle is in the dissemination phase, which is typically when CTI analysts process and deliver finished intelligence to stakeholders,\u201d says Lerner.<\/p>\n

As he explains, many intel teams don\u2019t do a good job tailoring information to the appropriate audience. Strategic intelligence meant for the C-suite will not offer much value if it\u2019s full of acronyms and technical data, for instance. And tactical intelligence that\u2019s in an unstructured report and not easily consumable by a SOC analyst is similarly unusable.<\/p>\n

One of the best ways to ensure focused and targeted dissemination is to nail down the details at the requirements phase, says Hull. \u201cWhen you set those requirements, you set the direction about the cadence with which dissemination takes place and the mechanism by which a dissemination takes place,\u201d he says, explaining that the important thing is to establish out of the gate how to make it most easily accessible and shared by the relevant stakeholder.<\/p>\n

Clearly, there\u2019s no easy button for maximizing CTI value within a cybersecurity program, but CISOs that can focus on avoiding these five mistakes stand a better chance of getting the most out of their intel.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Strong capabilities in cyber threat intelligence (CTI) can help take a cybersecurity program to the next level on many different fronts. When organizations choose quality sources of threat intelligence that are relevant to their technology environments and their business context, these external sources can not only power swifter threat detection but also help leaders better […]<\/p>\n","protected":false},"author":0,"featured_media":1519,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1518","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1518"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1518"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1518\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1519"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1518"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1518"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1518"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}