Does threat intelligence (TI) work? I looked into that question last year, exploring the reasons why it actually doesn’t and what can be done to remediate the situation. Since then, more companies have incorporated TI into their security processes, and many are still not getting the benefits they expect.

What’s causing the dissatisfaction? Interestingly, pretty much the same aspects—i.e., mismatches with cybersecurity needs, lack of resources, implementation challenges, and other misunderstandings and misconceptions—and new ones.

So, how can we bridge these gaps in the second half of 2019? TI is of complex nature and a change of perspective, alongside a strong commitment to best practices, are necessary to overcome the hurdles along the way. Let’s dig into the latest learnings in the field and figure a way forward.

Analyzing and operationalizing TI takes time

Gathering any form of intelligence and applying the corresponding insights is something that cannot and should not be rushed. Likewise, getting the most value from TI requires diligent and thorough analysis with the right metrics, scope, and depth at the outset. Otherwise, it’s not easy to measure progress. All of that takes time, and impatience could set in and affect the quality of data collection, processing, and interpretation.

TI may end up too general and off-target

TI analysis goes from broad to specific, and it’s important to carry out the process all the way through because threats are subtle and dangerous in detail. If TI results and interpretations are too general, they’ll likely fail to address the areas that need particular attention. It’s up to users to narrow down the focus to get intel relevant to their brand or industry—e.g., online fraud for payment processors, DDoS or ransomware for large enterprises, etc.

Over-reliance on manual processing and analysis is bad

TI is labor-intensive, sometimes more than it needs to be. As part of TI’s implementation, security staff must find a balance and leave sufficient legwork to automated systems, possibly with machine-learning capabilities. In turn, threat intelligence analysts can spend more time on strategic and urgent tasks that allow for a more effective and faster response to immediate threats.

TI is not your average cybersecurity operation

The practice has its specificities and therefore requires people capable of handling the particular operational and technical elements for, say, the integration of a threat intelligence API into pre-existing security applications. In a similar vein, TI teams also need enough resources and logistics to avail of specialist equipment and skills—of course, in line with an organization’s sector and its core activities and salient vulnerabilities.

Actions must be taken based on TI insights

As bad actors adjust their tactics, so should people within organizations. As a means to detect what’s wrong with systems and online assets over time, TI and its actionable insights must be disseminated to forewarn employees and help decision-makers make wise acquisitions and security investments. A new malware, for example, should be immediately put on the radar and steps on how to counter it be immediately laid down.

On an external level, sharing intelligence with other organizations creates an early-warning network that thwarts attacks and facilitates the dismantling of threat infrastructure.

Integrate with your tools and teams

TI should not be a lone-wolf fighting an independent battle. Instead, it should be integrated as a major part of the overall cybersecurity strategy. The effectiveness of SIEM, as well as other important incident management systems, is enhanced when they are complemented by TI’s contextual analysis and actionable recommendations to halt attacks.

* * *

The said benefits of threat intelligence remain elusive at times. Proactive measures need to be put in place in 2019 and beyond in order to overcome challenges and successfully implement the practice as part of integrated cybersecurity efforts.