We’ve written several pieces on the importance of threat intelligence these days to an organization. Being on top of threats and not being defensive is one of the ways that a CISO can better mitigate risks.
However, that doesn’t mean most organizations can afford a threat intelligence team.
By definition, if your IT security team is only a couple of hands you can’t afford a separate threat intel team. A lot of Canadian small and medium-sized businesses fit into that category. However, there are still a number of medium and large organizations that could benefit from a dedicated threat intelligence team (which may not necessarily be full-time).
On Monday Scott Simkin, a senior manager in the cyber security group at Palo Alto Networks, published a column on the pros and cons of having such a team which CISOs should consider.
The advantages include the ability to hunt for advanced attacks, profile never-before-seen malware, campaigns or adversaries, and really think like an attacker.
But Simkin suggests CISOs ask the following questions before leaping into creating a threat intel team:
What is your organization’s current security posture? Are you automatically preventing attacks before they can breach your network? Do you have an information security team, and do they have a proven workflow in place for handling a successful cyberattack? How are you protecting your organization’s intellectual property and high-value assets? Is your network properly segmented?
If the answer to any of those questions is “no,” his advice is to get those issues addressed first, before even thinking about the need for a dedicated threat intelligence team.
He also notes that because such a team is expensive and will not only need the support of the C-suite and the board, the team will have to know how to clearly communicates its value to the board.
Meanwhile, organizations that can’t afford a threat intel team need to make use of the intelligence they can get their hands on from a variety of sources, including vendors of their security products and commercial intel feeds. One is the fledgling Canadian Cyber Threat Exchange (CCTX), which hopes to be operational early next year.
Last week I spoke to CCTX chief executive Robert Gordon, who said the service will hold a private symposium Dec. 7 for early subscribers to outline progress on a number of issues including the efforts of several working groups toiling away on problems such as how the exchange will ingest data and the type of reports it will issue.
Some 30 organizations are in varying stages of joining the exchange and will have the opportunity to add their threat and vulnerability findings to commercial feeds. The exchange hopes to convert raw data into timely and actionable information for subscribers.
The exchange is chaired by Marc Duchesne, Bell Canada’s vice-president of corporate security and responsibility. The vice-chair is Colin Penny, SVP technology and chief information officer of Ontario electric distributor Hydro One Networks.
If an organization can’t have a threat intel team, through the exchange it may get the next best thing.