Use Threat Intelligence Services for an Agile Defense

The wrong time to learn about a security threat is when it occurs.

The “fragile” state, learning about an attack when it is already underway, is the most dangerous for enterprises. Alternatively, learning about threats earlier in a hacker’s research of a target gives security professionals the agility necessary to combat an impending attack. That’s where threat intelligence services can solve the problem of gaining visibility of a threat before it arrives.

By 2018, 60% of large enterprises globally will utilize commercial threat intelligence services to help inform their security strategies, according to Rob McMillan, research director at Gartner, in Be Agile Not Fragile: Use Threat Intelligence Services to Defend Yourself with Ruggero Contu, research director at Gartner, at the Gartner Security & Risk Management Summit in National Harbor, Maryland.

Threat intelligence is:

  • Evidence-based knowledge
  • Including context, mechanisms, indicators, implications and actionable advice
  • About an existing or emerging menace or hazard to assets
  • That can be used to inform decisions
  • Regarding the subject’s response to that menace or hazard

The CIO Executive Communication Guide

Speak the language of the C-suite to communicate the business value of IT

Get free e-book

But intelligence is more than just a gathering of facts. Its strength is to go beyond the obvious, trivial, or self-evident information to correlate and analyze multiple data points. It should also include a range of information including the goals of the threat actor (whether it’s a person or malware), the life expectancy of the threat, the reliability of the information presented, and characteristics of the threat and outcomes for the organization.

Interestingly, while many vendors position their threat intelligence services for short-term, operational decisions, Gartner’s annual survey showed that 48% of users say they utilize threat intelligence services to support longer-term, strategic decisions, as opposed to 30% who utilize them for short-term purposes. Organizations should realize that threat intelligence is an important raw material for their strategic security plans. Keep in mind that certain intelligence may not bear fruit for two years, assuming a minimum 18-month cycle to implement a larger strategy/program that utilizes commercial services.

When security professionals manage incidents, they only see the clues left behind but won’t know the who, why, or how of the attack. “You don’t get to see the replay of what the bad guy did, only the wreckage of what was left behind,” McMillan says. Machine Readable Threat Intelligence (MRTI) is an example of a short-term, operational use to avoid an attack. Here, modern network devices can ingest content and make real time decisions on what to block or control. This provides a sense of agility in real time defensive architecture.

Threat intelligence can give some insight on whether the bad guys are after money, data, or just acting out of malevolence. Security professionals should consider it to make informed decisions about current threats, develop plans for emerging threats and develop agile response capabilities (e.g., with MRTI). In formulating a plan for its use, be clear about what question you need to answer and then select the right content and provider to answer that question.

Video replays from the Summit are available at Gartner Events on Demand.

Get Smarter

Gartner Security & Risk Management Summits

Attend a global Gartner Security & Risk Management Summits.

Explore Gartner Events

Top 10 Strategic Technology Trends for 2019

Strategic technology trends have the potential to drive significant disruption and deliver significant opportunity. Enterprise architecture...

Read Free Research

As Audiences Scatter, Digital Marketing Hubs Converge

Know more how to define the functional requirements of a digital marketing hub and understand build, buy or partner, find the right path.

Start Watching