10 myths about cyber threat intelligence - separating fact from fiction

8/18/2019 10 Myths About Cyber Threat Intelligence - Separating Fact From Fiction

1/17

10 Myths About CyberThreat IntelligenceSeparating Fact from Fiction

A CYVEILLANCE WHITE PAPER | MARCH 2015


2/17

2

10 Myths About CyberThreat Intelligence:

Separating Fact from Fiction

© 2015 Cyveillance

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Myth 1: Threat intell igence is just another term for data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Myth 2: Only big companies have a need for threat intelligence. . . . . . . . . . . . . . . . . . . . . . .5

Myth 3: It’s impossible to develop a business case and show ROI for threat intelligence. . . .6

Myth 4: The volume of sources and data outside our perimeter is too

overwhelming to be useful. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Myth 5: Threat intelligence is only useful for the information security department. . . . . . . 10

Myth 6: I deal with guns and guards, so I don’t need cyber threat intelligence . . . . . . . . . . 11

Myth 7: Our network is already protected by firewalls, IDS, and anti-virus solutions. . . . . . 12

Myth 8: Threat intelligence is only useful before a breach or a security event. . . . . . . . . . . 13

Myth 9: We already have an in-house cyber security team, so we don’t need

threat intelligence from a third-party. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Myth 10: We can’t afford to hire more analysts to process, review, and act upon

threat intelligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Table of

Contents


3/17

10 Myths About Cyber Threat Intelligence: Separating Fact from Fiction | © 2015 Cyveillance 3

Executive Summary

In today’s security landscape, more vendors than ever are offering what is purportedto be “threat intelligence.” Unfortunately, this term often suffers from the same sort of

ill-defined overuse as terms like “big data” or “cloud security.” Everyone talks about

these things, most are fairly sure they need them, but very few people can tell you

what they actually are or how they can be practically applied in business terms.

One thing most security experts can agree on, though, is that an intelligence-led

approach to security – that is, putting threat intelligence to real-world use – is critical

to protecting organizations from risks. If the goal of an intelligence-led security

strategy is to help organizations be more proactive in finding and preparing for

threats to physical and digital assets, it’s crucial to define and understand exactly

what threat intelligence means, and separate fact from fiction.

In this whitepaper, we dispel some common myths about threat intelligence.


4/17

4



© 2015 Cyveillance

MYTH #1: Threat intelligence is just another term for data.

FACT:While data feeds are an important component of threat intelligence, we would argue that they are fundamentally

different. A leading industry analyst firm recently defined threat intelligence as “evidence-based knowledge, includ-

ing context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or

hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” 1

Put in plainer terms, threat intelligence has three characterist ics that raw data lacks: relevance, actionability, and

value. To be relevant, the information must relate to your organization, industry, networks, or objectives. To be

actionable, it must be specific enough to prompt or forego some response, change, action, or decision. Finally,

to be valuable, it must contribute to a useful business outcome.2

Many organizations feel overwhelmed with data, and with good reason – an est imated 2.5 exabytes (that’s

1018) of data are generated each day.3 But data and threat intelligence are not the same. For example, without

additional context, raw data generated by a machine will not help a security team understand the potential risk

of an event, such as a spear phishing attack. Other facts surrounding the event – such as where the phishing

email may have originated from geographically, any history of associated phishing or malware at tacks with the

associated domain name, or the profile of a threat actor associated with similar attacks – can help the security

team understand the risk of the event. Because the surrounding information is needed for threat intelligence,

services that claim to provide threat intelligence must also provide tools for adding context to the data.

Myth 1

1 https://www.gartner.com/doc/2487216/definition-threat-intelligence

2 https://blog.cyveillance.com/making-business-case-threat-intelligence/

3 http://www.datanami.com/2014/10/27/big-data-becomes-much-data


5/17

5



© 2015 Cyveillance

MYTH #2: Only big companies have a need forthreat intelligence.

FACT:News stories about large organizations being breached have created

a common misconception that larger organizations are at higher risk of

attack and therefore need threat intelligence. In reality, an estimated 61

percent of all attacks in 2013 were targeted at businesses with fewer

than 250 employees.4 With so much attention focused on breaches

at large organizations, though, it’s no wonder that 27 percent of small

business owners do not believe that data breaches pose a risk to

them,5 despite the fact that threat actors continue to set their sights

on smaller, easier targets. As small businesses have limited budgets

and resources, it’s imperative to find the right intelligence and tools to

maximize their budgets.

To ensure that valuable budget is being spent wisely, security teams

should consider vendors that offer threat intelligence and tools specif-

ically tailored to meet the needs of their organizations. For example,

research shows that SMBs often fall victim to broad-based malware

attacks delivered via phishing emails, so a partner that provides phish-

ing threat intelligence, safety awareness training, and other services

would be more useful to a small organization than one that only pro-

vides data feeds related to bad IP addresses or Distributed Denial of

Service (DDoS) attacks.

5

Myth 2

Small to mid-

sized businesses

often try to stretch

security budgets

by borrowing

tools from other

groups, such as the

marketing team, for

threat monitoring.

However,

these tools are

not designed

with security

professionals

in mind and

therefore do not

meet their needs.

4 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf 5 http://www.advisenltd.com/10/14/2014/cyber-exposures-small-mid-size-businesses


6/17

6



© 2015 Cyveillance

MYTH #3: It’s impossible to develop a business case and

show ROI for threat intelligence.

FACT:Determining the ROI for security initiatives is often challenging, but it’s not impossible. While it may be more use-

ful to frame investments against the costs of what could be lost if an executive were to be harmed or data breach

to occur, there are often instances where security professionals will be pressed to demonstrate ROI.

Before ROI can be calculated, you must determine whether threat intelligence is a necessary part of

your security program. These questions can help you determine if you need threat intelligence and if

so, how much:

1. WHY? Clearly define the business driver(s) to buy or build a threat intelligence capability using business terms. 6

2. WHAT? Define a clear, bounded, set of responsibilities and mission activities for the personnel involved.

3. HOW? List the steps that will operationalize the intelligence activities and information to support business goals. 7

Myth 3

6 https://www.brighttalk.com/webcast/9865/134509

7 http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis


7/17710 Myths About Cyber Threat Intelligence: Separating Fact from Fiction | © 2015 Cyveillance

8 http://www.Internetlivestats.com/twitter-statistics

4. HOW MUCH? Quantify the problem, the risk, or the value of the solution you

are proposing.

5. HOW ARE WE DOING? Determine the reporting procedures and measure-

ments for performance that will justify both initial and on-going expenditures.

Determining the ROI for threat intelligence will be challenging without going

through these steps first. However, after completing this exercise, finding the right

metrics and figures to track should be easier. Measuring the ROI for threat intel-

ligence should not be any more difficult than measuring ROI for other business

expenditures.

For example, if the average cost of a data breach is $3.5 million for a larger orga-

nization8, spending $50,000 to $200,000 a year for threat intelligence is a minimal

investment to prevent staggering losses. Smaller organizations can deploy solu-

tions which cost a fraction of this. This does not even take into account the value of

advance knowledge of physical threats to employees, which could be life-saving.

Evaluating Threat IntelligenceSolutions

Fortune 500

Many global companies have their own internal threat

centers which can process data and intelligence from a

wide variety of sources and vendors to be analyzed by

their in-house team. Yet, even with these teams it can

be difficult to find, compile, sort, and analyze the mas-

sive amount of daily data received. A third-party vendor

is often needed to provide expertise and analysis for

company blind spots and overflow.

Large Enterprise

With a nebulous perimeter and increasing BYOD envi-

ronment, traditional firewall and IDS platforms provide

incomplete security. In addition, large enterprises

compete for scarce resource within departments,

which leave gaps in both talent and knowledge. In this

case, a third-party vendor with on-demand analysts

offers easy scalability to close these gaps.

SMB and Non-Profit

While there are free and low cost sources of threat in-

telligence available to those with limited budget, there

is little help on the analysis of the available data. With

limited budget and time, small companies find it difficultto make headway with threat intelligence programs.

Many third party vendors now offer affordable month-

ly subscriptions for threat intelligence portals, which

consolidate threat intelligence, offer analytical tools,

provide insight on global threat landscape, and can

help meet their needs to manage risk and compliance.

These three steps can serve as a guide to building a business case:

Revisit the reasons

whether and why

threat intelligence is

a necessity

Frame the reasons

in terms of business

objectives

Translate the activities and benefits of

threat intelligence into tangible met-

rics that support your organization’s

business objectives


8/178



© 2015 Cyveillance

MYTH #4: The volume of sources and data outside our perimeter is

too overwhelming to be useful.

FACT:It is true that the sheer volume of online data can be daunting. But with the right consolidation, analytics,

and analysis, this data can be distilled into relevant, actionable, and valuable threat intelligence. From the

traditional web to social media to underground chat rooms, paste sites, and the blogosphere; it can be

enormously difficult to monitor all the sources that matter to your business. In addition to the proliferation

of sources, the amount of content being produced has exploded: as of early 2015, 500 million tweets per

day,9 864 million active Facebook users,10 and 100 hours of content are uploaded to YouTube every min-

ute.11 These are mind-boggling numbers. However, that does not mean that these huge volumes of data

can’t be managed. What is required to make that happen?

First, there must be a consolidated, automated means to search and collect across all these online sourc-

es. As the volume of sources, posts, pages, and languages expands endlessly, it cannot fall to human

analysts to manage data collection.

The second prerequisite is data analytics; the filters, risk scoring, and prioritization tools that focus scarce

analyst hours on the right material. Collection capability is self-defeating if all it does is add ever-more datato an already unmanageable queue for the analyst.

Finally, there must be capable analysts with the right tools to efficiently prioritize and investigate items that

matter. Open-source intelligence can be collected, managed, and used effectively. However, it requires the

people, process, and technology to cost-effectively apply and benefit from the information that is out there.

8

Myth 4

9 http://expandedramblings.com/index.php/by-the-numbers-17-amazing-facebook-stats

10 https://www.youtube.com/yt/press/statistics.html

11 http://www.hhs.gov/news/press/2014pres/05/20140507b.html


9/17910 Myths About Cyber Threat Intelligence: Separating Fact from Fiction | © 2015 Cyveillance

Web

Twitter

Facebook

Google+

Blogs

LinkedIn

Youtube

Boards

Pastebin

Instagram

50,000mentions per day

tweets per day500,000,000

active users

of content uploaded

*Data as of January 2015

every minute

for the average brand

864,000,000

6,000 minutes

9

Simple “mentions” or keyword matches for client brands, executives, locations, and other indicators commonly exceed

50,000 new items per day. Yet a typical analyst may be able to process hundreds or perhaps a few thousand items

at most. Without unlimited budgets for more analysts, and the availability of such talent in the market, throwing more

humans at the problem is not a realistic or sustainable option. When dealing with data at this scale, there must be

technology applied to identify and prioritize what is most likely to matter.

The Expanding Data Dilemma


10/1710

10 Myths About Cyber

Threat Intelligence:


© 2015 Cyveillance

MYTH #5: Threat intelligence is only useful for the information

security department.

FACT:In the past, cyber threat intelligence has been seen as the domain of the information security team. While

it may have been true in the era of defined perimeters and workspaces, the new era of dynamic perim-

eters, BYOD, and SaaS tools has blurred lines of responsibility. Increasingly, cyber and physical security

have converged as threat actors use chat, blogs, and social media to organize events, coordinate sched-

ules, and plan combined physical and digital disruptions.

In addition to the physical and information security team, the governance, risk, and compliance depart-

ment can use threat intelligence to mitigate risks of non-compliance. Many times indications and warnings

of issues with FFIEC, FDA, or HIPAA compliance can be found on the open source Internet long before a

violation is formally discovered. For example, in the case of a New York hospital that suffered a breach, on-

going online monitoring may have found patients’ health information being sold or traded on the Internet.

This advance notice could have alerted the security and compliance teams of a problem, potentially sav-

ing the hospital from a $4.8 million fine. 12 Likewise, social media can be monitored for impostor accounts,

mitigating the risk of fraud and ensuring compliance with FFIEC or other industry guidelines.13

Customer service and fraud departments are yet another team that can benefit from threat intelligence, as

it can aid in identifying fraudulent or activist-related complaints and claims designed to disrupt business

operations or get products removed from shelves. Because multiple internal stakeholders can benefit from

threat intelligence, look for tools and services that can collect, isolate, and identify different types of threats

and risks. Reports and metrics demonstrating how threat intelligence benefits each team can be used to

procure or share budget, engage multiple stakeholders, and maximize the value of these tools or services

across the organization.

10

Myth 5

12 https://blog.cyveillance.com/federal-financial-institutions-examination-council-ffiec-issues-social-media-guidelines

13 https://ca.news.yahoo.com/blogs/right-click/news-earthquake-travels-faster-twitter-shock-waves-travel-164736000.html


11/1711




© 2015 Cyveillance

MYTH #6: I am a physical security professional. I deal with guns and

guards, so I don’t need cyber threat intelligence.

FACT:Threat actors are increasingly using online communication sites and methods to plan attacks and events that

can harm employees or physical assets, disrupt operations, or interrupt events and meetings.

For example, threat actors often use social media to rally supporters for their causes or to enlist participants in

disruptive events. These can range from political demonstrations and protests to flash mobs and sit-ins. Any

organization with animal-rights, environmental, or politically sensitive issues should expect that opposition groups

can and will use the Internet for organizing and managing their activities. A physical security team can use threat

intelligence to be alerted to potential protest activity targeting a company facility, shareholder meeting, or other

event. The physical security team can then take preventative measures to most effectively deploy resources atthe event or set up countermeasures like physical barriers to increase the space between a facility and a protest.

Threat intelligence can also help physical security professionals stay abreast of global disruptions of other types,

from political unrest to natural disasters, that can impact operations, facilities, or company assets and personnel.

The Internet is now often the fastest source for this type of data. For example, during the 2011 earthquake near Washing-

ton DC, Twitter warnings of the event actually travelled faster than the seismic shockwave from the quake itself. 14 Failure

to have real-time “eyes and ears” on the public Internet can leave physical security teams open to being blindsided.

11

Myth 6

14 http://www.pcworld.com/article/2690359/survey-byod-security-remains-spotty-with-users-unaware-or-unmotivated-about-risks.html


12/1712




© 2015 Cyveillance

MYTH #7: Our network is already protected by firewalls, IDS,

and anti-virus solutions. We don’t need external threat intelligence.

FACT:While firewalls and intrusion detection systems are still critical to addressing network threats, they can only

help prevent attacks once they reach the perimeter. From zero-day exploits to social engineering or even

physical attacks on employees, there are risks that traditional perimeter defenses simply can’t address.

Intelligence from beyond your own environment, whether in the form of technical markers like indica-

tors-of-compromise (“IOCs”) or reports on the latest hacker techniques, can be useful to understanding,

spotting, and mitigating threats before they reach your network perimeter.

There is another trend that renders traditional network defenses increasingly insufficient. For today’s

interconnected businesses, the corporate network perimeter is no longer the clear delineator between

their business and the outside world. The traditional perimeter is now spread across multiple devices and

locations,15 and in the cloud, where firms deploy critical services and store sensitive data. This change has

made traditional firewall and intrusion detection platforms incomplete solutions. For example, they can’t

necessarily help your teams prepare for – and protect against – new types of threats, such as malicious

code designed to cross into the corporate environment through employee-owned devices.

Criminals are capitalizing on the small screens of mobile devices and the distracted people using them to

develop new kinds of attacks, such as SMS phishing campaigns. One of the most sophisticated advanced

persistent attacks discovered to date illustrated this.16 In addition, there is evidence that threat intelligence

offers a measurable benefit to the business side of the equation. A 2014 study conducted by the Ponemon

Institute showed that companies that deployed security intelligence systems had a 23 percent higher ROI

than on other technologies such as encryption and perimeter controls.17

Myth 7

15 https://www.bluecoat.com/documents/download/638d602b-70f4-4644-aaad-b80e1426aad4/d5c87163-e068-440f-b89e-e40b2f8d2088

16 http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-report

17 http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=27971


13/1713




© 2015 Cyveillance

MYTH #8: Threat intelligence is only useful before a breach or a security event.

FACT:While threat intelligence can help prevent breaches, it can also help identify and mitigate the damages from

previously undiscovered breaches or attacks. Research reveals that it can take up to three years or more

for organizations to discover a breach, which can expose an organization to millions of dollars in damages.18

That figure can be significantly reduced by discovering a breach sooner rather than later.

Monitoring the open source Internet, especially paste, leak, and document-sharing sites, is critical to dis-

covering leaked or confidential data or documents faster. Oftentimes criminals trade or sell stolen data onunderground forums or other hard-to-find places. Using an automated tool that can monitor these sources

can complement internally deployed data-loss-prevention (DLP) systems.

Finding the information earlier can allow your teams to mitigate potential problems. Reputational damage

can be reduced if an organization finds the information before the press or an unaffiliated third party does,

so that the PR and marketing team – not the media – can better control how the breach is addressed. Once

the breach is discovered, threat intelligence can help your security team learn how it occurred and may pro-

vide insights that prevent more data from being lost or stolen.

Myth 8

18 http://www.forbes.com/sites/ciocentral/2012/12/05/the-biggest-cybersecurity-threats-of-2013-2


14/1714




© 2015 Cyveillance

MYTH #9: We already have an in-house cyber security team, so we don’t

need threat intelligence from a third-party.

FACT:Even if you are a very large company with a big team, it can still be difficult to find, compile, sort, and analyze the vast

amount of information relevant to your organization’s cyber and physical security. More specifically, the following two

factors have made it nearly impossible for an in-house security team to maintain the safety of the entire organization.

The first factor is the explosion in risk types in terms of complexity and number. Besides risks such as phishing attacks, secu-

rity teams must now combat cyber-attacks that involve state and federal regulations, physical security, and customer data.

The second factor is the expanded attack surface. While threat actors continue to use older media, such as IRC

channels, they are increasingly using new vectors to plan and launch attacks. Keeping up with all of these tools and

tactics can be daunting for any security team, no matter how large. Moreover, many organizations have a global

presence, requiring analysts to be fluent in multiple languages.

The growing range of sources, risk types, and languages (along with variations in your risk profile, e.g., around a

major event like a shareholders’ meeting) can make it very difficult to always have the right mix of resources on

hand. Working with a partner who can supplement your internal team (whether full-time, part-time, or as-needed)

can be an important component of an overall threat intelligence strategy.

Myth 9


15/1715




© 2015 Cyveillance

MYTH #10: We can’t afford to hire more analysts to process, review,

and act upon threat intelligence.

FACT:If you have a small security team or perhaps a single person handling all security issues, you’re not alone:

according to conservative estimates, some 55 percent of organizations are short on information security

workers.19 Even the government is seeing a shortage of cybersecurity professionals. Cheri Caddy, director

of cyber security policy integration and outreach at the White House, recently stated, “We just have not

been training enough people to man the defenses of every business at work, every government at work,

every military mission.” 20

An in-house analyst team does not necessarily make business sense for all organizations. It can be timeconsuming and costly to find, onboard, and train new employees. Depending upon your business goals

– whether it is to increase revenue, increase the utilization of assets, or reduce costs – it may make more

sense to use the analyst team of a security partner. Before deciding whether to source the staff in-house

or to look to a third-party provider – or some combination thereof – it is important to examine the tools,

expertise, skill set, and manpower each will take.

Look for a partner that offers the option for full-time, part-time, or on-demand security consultants who

are knowledgeable about your business needs and can provide as much or as little help as you need.

For example, your company may not be large enough to require full-time resources, but you may need to

increase resources for specific events, such as board meetings. Or, you may have workday hours covered

but need support during off-hours or weekends. If your company is expanding operations into a new coun-

try, you may not have the in-house language capabilities or expertise to evaluate potential risks that could

impact physical offices or executive travel. An ideal partner is one that provides not just tools or data or a

platform to process information, but, if needed, trained analysts, linguists, consultants, and other experts.

Myth 10

19 https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/2013-ISC2-Global-Information-Security-Workforce-Study.pdf

20 http://www.courant.com/business/hc-cybersecurity-labor-shortage-uconn-white-house-20141020-story.html


16/17

While your network may be secure, do you have visibility

beyond the perimeter? Security is no longer about what you

can see. What you can’t see is where the true threats hide.

Cyveillance offers an easy-to-use platform that enables

security professionals the ability to see beyond the perimeter.Our solutions identify cyber and physical threats and risks

across the globe, allowing you to mitigate and eliminate them

before they disrupt your business.

We go beyond data to provide the threat intelligence that you

need to achieve your organization’s business goals. Contact

us today to learn more and get a free trial.

Using security intelligence technology can save companies up to $2.6 million when compared to companies not using security intelligence technologies. “2014

Global Report on the Cost of Cyber Crime.” Ponemon Institute; HP. 3 Dec. 2014. http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-report

A study by Verizon has shown that the targets of 85 percent attacks are small businesses with less than 1,000 employees. Verizon, “2012 Data Breach Investigations

Report,” http://www.verizonenterprise.com/resources/reports/ rp_data-breach-investigations-report-2012-ebk_en_xg.pdf

Cyber Threat Center

www.cyveillance.com/cyberthreatcenter


17/17

Cyveillance, a world leader in cyber intelligence, provides an intelligence-led

approach to security. Through continuous, comprehensive Internet monitor-ing and sophisticated intelligence analysis, Cyveillance proactively identifies

and eliminates threats to information, infrastructure, individuals and their in-

teractions, enabling its customers to preserve their reputation, revenues, and

customer trust. Cyveillance serves the Global 2000 and OEM Data Partners —

protecting the majority of the Fortune 50, regional financial institutions nation-

wide, and more than 100 million global consumers through its partnerships with

security and service providers that include Blue Coat, AOL and Microsoft.

For more information, visit www.cyveillance.com.

Cyveillance is a wholly-owned subsidiary of QinetiQ, a FTSE250 company

which uses its domain knowledge to provide technical support and know-how

to customers in the global aerospace, defense and security markets. For more

information on QinetiQ, visit www.qinetiq.com.

11091 Sunset Hills Road, Suite 210

Reston, Virginia 20190

888.243.0097 | 703.351.1000

www.cyveillance.com

[email protected]

Copyright © 2015 Cyveillance, Inc. All rights reserved. Cyveillance is a registered trademark of Cyveillance, Inc. All other names aretrademarks or registered trademarks of their respective owners

10 myths about cyber threat intelligence - separating fact from fiction

Documents