In this blog article, I am seeking to address the question of whether CTI is worth investing in.
Many vendors of Web Proxies, SIEM solutions, IPS, Firewall, UTM’s and email filtering technologies already provide a threat feed. The question that needs to be asked is how effective these feeds and blacklists are. Can they protect and block threats to your organisation? Can these threat feeds be positioned in the right place to stop threat agents/attackers from doing their dirty work? If you restrict your attention solely to the roughly 4 Billion IP addresses within the IPV4 address range, it is estimated that more than 16 M are currently, or have been, put to use for malevolent means. Clearly there are challenges to keeping tabs on all these dubious IP addresses from which threats manifest. I’d challenge you to name more than a handful of organisations globally who have the inclination or capacity to keep track of what is happening within these Internet locations. Sure, vendors and the open source community are trying. However, vendors are somewhat blinkered by the user base they can draw on, and the security function they focus on. At the other extreme, open source offerings are always best effort and in this space regrettably slow to react. IP Addresses are clearly only one part of the picture, when you include URL’s, domain names, known bad hosts and payloads into the items needing to be managed, it is clear that automation and intelligence is required.
The problem with many mainstream accepted security technologies, is that they become less and less effective over time, require superior analytical skills to operate (skills that are hard to find), and can be somewhat reactive. These issues prompt security professionals and business managers to seek out better ways of working and more advanced technologies to increase effectiveness.
Is CTI any different to the traditional security vendors? Unfortunately, only partially. It certainly needs highly skilled people to operate, and it is likely to be less effective over time, as hackers develop countermeasures to hide their tracks from specific CTI tool sets. The one ray of light, is that CTI does try and avoid the old paradigm of waiting for something to arrive that is known to be bad and then blocking it. Cyber professionals are trying to get ahead of this preventative mindset and become agile with threat detection and response. Any approach that can offer the potential of reaching out into the dark web, blending in, uncovering what is happening in real time and then giving you actionable intelligence, ideally coupled with workflow and automation is a significant benefit.
The business problem that CTI attempts to solve is still dependent on skilled people. By investing in CTI, you may be able to uplift your internal capability, but to deliver real results you do need a team there to start with. If you do have a specialist team in place, CTI has potential to act as a multiplier effect and save you money. CTI is categorically not an appropriate or intelligent security investment for organisations that do not have adequate skills in place and are looking at new technology as a cure all. There must also be clarity about what you are seeking to achieve from CTI. Without a clear vision of what it is that you wish to achieve, then delivering results may be difficult. This vision may of course change over time as you start to leverage CTI and assess the benefits produced.
As with all security investments, context is all important in evaluating new technologies. With the right prerequisites, CTI should appear on your investment radar. So, in summary, is CTI worth investing in? conceptually yes, provided you have the highly skilled people needed to make this effective. If you don’t have these people, then the answer becomes a very clear no. CTI should not be considered until you have an appropriate internal resource capability available, or a suitable managed service provider capable of bringing to bear the right skills, technology, business insight to effectively manage risk.
In my last blog in this series, I will endeavour to round out this series with a third and final post that will focus on what to look out for in a Threat Intelligence Solution.