Ransomware attacks are on the rise. VMware recently surveyed 3,542 CISOs across 14 countries for its recently published Global Security Insights report. It found that ransomware attacks were the dominant cause of breaches for organisations worldwide. To compound this fact, its Threat Analysis Unit identified a 900% increase in ransomware over the first half of 2020.
Despite this rise, many organisations have been left behind with their security operations. 60% of organisations experiencing ransomware attacks in 2019 – of which 29% said attacks happened at least once a week. In fact, according to Gartner, 27% of malware incidents reported in 2020 can be linked to ransomware.
Ransomware has become a mainstream topic of concern. High-profile attacks have impacted America’s East Coast fuel supplies and targeted transportation systems and financial service providers.
Organisations are conscious about protecting themselves and their customers when attacks happen, and consumer confidence has been affected. A better understanding of adversaries and their tactics, techniques and procedure (TTPs) is needed. It helps you understand how your organisation can mitigate any risks.
Intelligence is key to any security operation
A cornerstone to any security operation is a threat intelligence program. It will provide better intelligence across the threat spectrum from known to unknown attacks. It also delivers the ability to leverage this intelligence for all the systems and analysts who need it.
This intelligence must include internal data, events and telemetry, supplemented with external data from a diversity of sources. Those include commercial vendors, open sources, ISACs, CERTs, government cyber organisations and other sharing communities.
Threat Intelligence Platforms (TIPs) have risen in popularity to deal with this complexity. There are four functions of a TIP:
- A TIP stores and manages threat information no matter where it comes from.
- It can correlate and contextualise it by prioritising the small fraction of relevant information and turn it into useful intelligence.
- The intelligence must be shared with downstream systems that use it for post-compromise detection, pre-emptive blocking, and patch prioritisation.
- TIPs may include analysis and visualisation tools that assist various user groups, including SOC analysts, incident responders and threat hunters, making it easier to share intelligence and collaborate.
So how do you get started with a threat intelligence program?
Open data sources and tools such as MISP, TheHIVE and Cortex are some ways to get started with threat intelligence. They help build and test the processes required and demonstrating what they can do for your organisation. However, the soft costs of coding and development time required with open source tools are worth noting. You will likely end up with a single person in the organisation developing the institutional knowledge and domain expertise. Should that person leave, costs and risks increase, and the program will fail.
Whether you go through this stage or jump straight to evaluating commercial approaches, keep in mind that most threat intelligence programs will cost in the range of £360,000 – £1.4 million per year for an effective capability, including people and new systems, for example, threat intel analysts, a TIP and intelligence sources.
However, given reports of ransomware demands and if you consider a recent report that estimates the average cost of a data breach at £2.8 million with mega breaches (50 million records or more stolen) reaching £284 million, a threat intelligence program that prevents even a single breach each year will pay for itself.
Focus on making the right case for a budget
However, this can be difficult to show when making a case for a budget. Unless your organisation constantly suffers data breaches, you are unlikely to have any hard data to calculate an ROI. Instead, one approach is to track your organisation’s ability to detect compromises. You then determine which of those were exclusively detected with intelligence from the threat intelligence program.
One large global technology company attributed over 1,500 compromises per annum to their intel program using this method. In the context of their overall compromise detection, costs from security tools, incident response, threat hunting and alert triage, they could show a strong ROI for their threat intelligence program.
Each of these use cases and others, including threat intelligence management, vulnerability management, and accelerated prevention and detection, present their own ROI areas. These include increased staff efficiency, improved collaboration, faster patching of prioritised vulnerabilities, reduced attacker dwell time and faster time to respond.
As threats evolve and emerge, a threat intelligence program is integral for an organisation’s survival. Now is the time to implement a threat intelligence strategy. Even if you already have a program in place, there is always room for improvement and optimisation for your top use cases.
ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.