It comes as no surprise to anyone working in the security industry, or with a passing interest in technology, that most of our personally identifiable information has been stolen. Expanding databases of personally identifiable information have become a part of the never-ending cycle of cybercriminal activity. In short, the battle to keep our personal data safe has already been lost.
If this is true on a personal level, it is all the more concerning on a corporate level. While individual data certainly holds value for a threat actor, if they can compromise a network which contains personal data on thousands of employees, end users, or even citizens in the same of some government departments, they can engage in threat activity on a massive scale.
Companies know this, and are responding to an increasingly sophisticated cybercriminal ecosystem. Mimecast’s recent State of Email Security Report 2023 saw 59% of their 1700 CISO respondents indicated that cyberattacks are growing in sophistication, and remain alarmingly frequent; Two-thirds claimed that their organizations had been harmed by a ransomware attack, where 97% have been targeted by email-based phishing attacks.
These attacks lead, ultimately, to data exfiltration. Sadly however, much of this data has been lost unnecessarily. As far back as 2016, Gartner reported that ‘99% of vulnerabilities exploited will be known by security and IT professionals by 2020’. This in effect means that threat intelligence on this subject has been failing to do its core job.
Where we’ve gone wrong
The first thing to say about threat intelligence, is that the information that is discovered, analyzed and catalogued is undoubtedly a treasure trove: It contains the ‘cheat codes’ to offensive cyber activity that when used appropriately, can help to stop attackers dead in their tracks.
The problem is not necessarily technological, but structural. The providers who work within the threat intelligence space are into the hundreds. Every single provider in this space is working to identify and categorize threats on behalf of their customers, and many do so incredibly effectively.
Where the issue arises is that these databases remain disparate, and siloed based on which threat intelligence providers companies have a relationship with.
VP Security Operations at Centripetal.
Therefore, a constant fight for corporate resources mean that organizations have a choice: continue to use threat intelligence providers whom they have a relationship with, and pick and choose the number of alerts that they respond to. This is a hugely inefficient method of dealing with threats, and means that inevitably, some threats will be missed by those on the defensive side.
The second is to bloat their security budgets to include an ever-expanding toolset, in the hope they catch more threats. This is also risky from a business perspective; Inflated budgets carry with them the expectation of a greater resilience. If this fails, the security team may find themselves out of favor with the board.
While unknown attack vectors being missed is to be expected - they are after all unknown, by definition - the tragedy of the current relationship between threat intelligence and those attempting to utilize defensive security capabilities is that the known threats that the current threat intelligence ecosystem lets slip through should be entirely preventable.
A broken internet, and how to fix it: An intelligence-first approach
What does this ecosystem leave us with? An internet that works in favor of only two groups: security providers who are willing to charge organizations extortionate prices for access to their threat intelligence tooling, but who know that they are failing to provide comprehensive threat coverage; and the threat actors who know can exploit the current unworkable system with impunity.
It is time for organizations to reclaim control of threat intelligence data. Instead of security teams having to constantly justify their need for an increased level of tooling or funding which they can throw at the problem, a radical change of approach is necessary.
The change needed is to work with providers who can analyze and quantify threat intelligence data from multiple sources for use in an active defensive posture before it gets to an organization. Not only will this reduce the alerts which the end user has to respond to, but it will also significantly cut the man hours spent in dealing with response, and even effectively reduce operational costs and the complexity of a security attack.
The good news is that CISOs are already aware that this change is necessary. 92% in the Mimecast report referenced above are either using - or plan to use - AI and machine learning to bolster their effectiveness in responding to cybersecurity threats. The key thing for these CISOs and the wider security community to remember is that this is not a case of adding new tooling to a new cybersecurity stack, but a case of intellectually realigning how you think about detecting and responding threats, and ultimately keeping your organizations, and the wider Internet, safe.
