Threat intelligence platforms — although in their infancy — have the potential to help agencies derive insight and actionable information from cyberthreat data that now exists in silos across multiple government agencies, classification levels and groups. But despite numerous efforts, the goal of aggregating and correlating information onto a shared platform, where all parties involved can jointly analyze and use that threat data easily, has been elusive.
Earlier this year, the Obama administration took new steps to create an integrated view of threat information across government. In February, the White House introduced the Cyber Threat Intelligence Integration Center, or CTIIC, an organization dedicated to collecting, analyzing and distributing information throughout the government to identify and stop major cyberattacks.
The CTIIC is expected to support all of the federal operational cyber centers, including Homeland Security’s National Cybersecurity and Communications Integration Center, the focal point for the federal government’s interaction with the private sector on cybersecurity issues. At the same time, DHS will share cyber threat indicators received from the private sector and international partners with the CTIIC.
Going forward, many federal agencies will have to put the proper mechanisms in place to ensure information flows to the right people and agency components, security experts said. But agency leaders also need to take a larger view of their overall strategy for gathering and sharing information.
“The best threat intelligence is unique to every organization,” said Greg Boison, director of homeland security and cybersecurity with Lockheed Martin, which developed an Intelligence-Driven Defense security intelligence framework to detect, mitigate and effectively adapt to advanced cyber threats. “There is no replacement for the intelligence and information gathered from the threats you have faced in the past as they are likely to return,” he said.
However, he added: “Great intelligence that sits on someone’s desk because there are not enough analysts, or time sensitive intelligence that is not being quickly incorporated into your network, is not effective.” he said. So agencies need to think about how to broaden their network of intelligence analysis, by making sure they “have the downstream mechanisms in place to leverage the threat intelligence,” he said.
Here are five other tips he and other experts offered that will help agencies avoid pitfalls that tend to undermine effective federal threat intelligence analysis and platforms:
1. Develop a strategy.
Threat intelligence analysis does not take precedence over basic cyber hygiene, patching and reducing known vulnerabilities, Boison said. Only when a mature security posture is in place should agency managers move toward fully embracing use of threat intelligence.
One of the first steps is determining who is going to be responsible for receiving the information and disseminating it to the various agency components, said Alan Webber, research director for innovation and transformation at IDC Government Insights.
Secondly, establish a threat process for gathering the information, and determine what type of threat intelligence platform would be suited for your agency. Agencies might decide they should do threat analysis as a shared service among agencies. “But it is going to have to be done smartly,” Webber said.
2. Choose your threat intelligence platform.
Agencies need one platform to aggregate internal and external threat data and intelligence, said Adam Vincent, CEO of ThreatConnect, which offers a platform that lets government agencies and large enterprises aggregate all available threat data, analyze it rapidly, and then produce tactical, operational and strategic threat intelligence all in one place.
A threat intelligence platform must be able to automate actions, gather data from multiple sources of intelligence in one space for correlation, handle structured and unstructured data and free security analysts from using spreadsheets and e-mail for collaboration.
“People need a collaborative platform so they can communicate and work together as teams that are dynamic because the threat [environment is constantly] changing,” Vincent said.
Other companies offering threat intelligence platforms include Norse, ThreatQuotient, ThreatStream among others.
3. Find and hire the right people. (It’s not easy.)
There is a shortage of qualified cyber analysts to defend federal organizations, Vincent said. What’s more, they are not used in the most effective manner. Too often many analysts are working in a silo, copying and pasting data and collaborating using email.
Cyber intelligence analysts are in high demand, Boison said. These analysts are not the people who watch alerts or tune firewalls. Instead, they are engaging and analyzing the events that are impacting their networks.
“You need the tools in place to assist intelligence analysts,” Boison noted. For instance, Lockheed Martin has a knowledge management system with 10 years’ worth of background information on cyber incidents and threats from which analysts can learn. To retain these high-level security practitioners, constant training and professional development is necessary
4. Automate. Automate. Automate.
“Automation is increasing the speed at which people can triage and act upon the data,” Vincent said. For instance, if nobody needs to be involved in blocking a specific port on the firewall and data is telling you that someone is using that port, then close the port. It is only when the risk to the mission is high enough that human intervention is needed. When the analysis says there is something that needs to be done, there has to be a configurable workflow/process capability that can automate or semi-automate the process as much as possible, Vincent said.
5. Gain better oversight via threat intelligence.
Agency managers need better oversight into what is going on within their security programs. However, the data isn’t always available to make strategic decisions about the day-to-day and year-to-year efficacy of their security programs and the various risks to the mission. The ability to allow the processing across a security team to be done within a platform lets them monitor the efficacy of that process and improve it, according to Vincent.
The bottom line is that threat intelligence will never succeed as an agency-by-agency effort, IDC’s Webber said. “There has to be a whole government perspective on this. And we haven’t gotten there yet,” he said.