A threat intelligence system is essential for organizations to have today to meet the challenge of sophisticated attackers, a security conference audience of Canadian infosec pros has been told.
“Without the intelligence-led program you’re just throwing darts at the board, things change so fast,” George Rettas, managing director U.S. financial giant Citigroup’s global information security told a panel at the SC Congress conference in Toronto on Wednesday.
And, he added, it doesn’t necessarily mean a large staff. When he ran the intelligence team at JP Morgan Chase, the four-person squad detected the 2013 Target stores breach.
“You don’t need 1,000 people to get the job done,” he said. “You need the right people in the right place.”
On the other hand, it wasn’t merely IT systems that discovered the breach. It took “someone out in the field garnering human intelligence for a very long time for us to make a phone call to put that person in motion where he could be in a position to gather intelligence,” he admitted. “But it took months and months for us to get that person there.”
In other words, threat intelligence means sometimes using snoops. Still, his point is that it takes a lot to assemble meaningful intelligence.
“It’s not going on the Internet and getting a whole bunch of articles and blasting out an email that no one reads. A lot goes into how to enrich and enhance that information to make it knowledge, to make it actionable and to make it timely — it has to be timely, because if its too late it doesn’t matter.”
Not only can a small team be effective, he added, an organization doesn’t have to be the size of bank to have one.
“There’s lot of low-lying fruit — are you using all the data your company has? Are you using fraud to protect the network, using the network to prevent AML (anti-money laundering), are you correlating the data in a way that makes sense?”
He recommends CSOs assess of all the analytical tools the already has that can be leveraged as well as human resources to figure out what gaps there are. Then see if there are threat intelligence tools that can be developed internally or purchased that can fill those gaps.
Building a threat intelligence capability means figuring out who the organization’s main threat actors are, Rettas and panellist Neil Correa, a senior security consultant with KPMG Canada, agreed.
Correa noted that threat intelligence is “proactive incident response” – the CISO knows what to look for before an incident. It’s also not vulnerability where you know there’s a hole, he added but more granular: “You know there is a hole that is being exploited, by how, what exploits are being used and how you can respond to it.”
A threat intelligence capability doesn’t mean an organization will eliminate breaches, he added, but it will reduce the impact.
“Think about operational excellence (in assembling a threat intelligence capability), think about quality control, quality assurance, making sure you have good data in so you have good data out,” said Rettas.
“Think about process re-engineering, a constant problem-solving process that is used every day, think about people with real business and operational skills — not just the people that are able to gather intelligence. There are a whole bunch of attributes that go into an intelligence team.