Why pay for premium threat intelligence, and how to choose a suitable service? Here are the objective arguments and tips …

A long time ago in the cybersecurity space far, far away, the choice of a threat intelligence service was often restricted to a handful of providers. Today, the cybersecurity industry in APAC is worth at least US$30.45bn and expected to grow at an annual rate of 18.3% from 2020 to 2025, with multiple cybersecurity vendors seeking a bigger slice of the proverbial pie.

Yeo Siang Tiong
Yeo Siang Tiong
General Manager, Kaspersky’s SEA

For any chief information security officer (CISO) or IT lead, operating in today’s highly-digitalized environment, not only are they tasked with establishing and maintaining the digital transformation efforts of their companies on a tight budget, they must also ensure that the company’s IT policy is compliant with the data protection regimes in the markets that they operate in.

Clearly, it is not easy task to take, but little things like having the right threat intelligence service can make life easier. We have been hearing a lot about this for several years now. But what is it threat intelligence exactly and what you should be looking for in a threat intelligence service provider?

To provide some neutral insights for CISOs in search of a suitable threat intelligence vendor, Kaspersky’s General Manager for Southeast Asia, Yeo Siang Tiong, contributes the following tips.

Threat intelligence primer

First, a refresher. Threat intelligence is data collected and analyzed by an organization in order to understand a threat actor’s motives, targets, and attack behavior. It empowers organizations of all shapes and sizes to make faster, more-informed security decisions and it shifts their cybersecurity posture from reactive to proactive.

If one has a knack for researching, there are a lot of free threat intelligence in the Web. However, a premium threat intelligence report or feed offers much more: comprehensive, real-time, organic, and actionable information that are exclusive to the enterprises subscribers in terms of public disclosure.

Why is it not ideal to wait until the mass release of a free threat report? Because it will allow you to act fast, to assess your risks, check your endpoints, fix the loopholes which they may exploit. Because knowing first-hand such critical information can save you money, reputation, and headache. Because proactive security is necessary at this time and age.

The reason why threat reports are not immediately made public to all is that it gives cybercriminals the same tip off as everyone, which is not a good thing.

5 tips to consider

Aside from these, what else should you be looking for in a threat intelligence service provider?

1. Check their sources
Threat intelligence should make your systems smarter through data feeds. To get the feeds you need sensors scattered all across the globe to ensure that your data is reflective of the real-time, global threat landscape.

Look for a threat Intelligence portfolio powered by millions of global users sharing their anonymized data. A huge network provides rich information compared to one with limited sensors and workforce insights.

2. Data collection strategy
A threat intelligence service’s data collection strategy should be the most important factor to consider in your evaluation of their capabilities because they can only provide intelligence as far as the parameters of their data sources allow.

Given that cybersecurity attacks are often transnational in nature, it is important that a vendor can source information globally and put pieces of the puzzle together in a way that makes sense for your IT staff. It should not be aggregated; it should be organic. It should also be critically monitored and studied by specialists who can understand tactics, techniques, and procedures (TTPs).

To assess whether a threat intelligence service has such a capability, look at their research team and see what kind of campaigns that they have uncovered.

3. Check the visibility
The visibility of your threat intelligence provider is an important consideration. Look into their Advanced Persistent Threat (APT) logbook and their database. Are they monitoring cyberthreats only from a particular country or region? Or do they have a global reach? Are there researchers only based in one country? Or do they have a network of experts scattered around the world? The answers for these questions are essential.

4. The intelligence and data gap
At the heart of the debate between intelligence and data lies the concept of context. Assuming now you have got your data sources set up and information is feeding in from all corners of the globe, but you are asking yourself the million dollar question: how do I know what is important and why is it important?

Things such as threat names, timestamps, resolved IPs addresses of infected web resources are useless on their own if there are not enriched with actionable context. When a relationship context is established, the data can be used more readily to answer the questions of ‘who’, ‘what’, ‘where’, ‘questions’. It is only at this point that data becomes the finished article—intelligence—and you now receive a boost when investigating incidents and uncovering new Indicators of Compromise (IoC) in your IT network.

5. The ability to integrate is key
Integration can be a dirty word of the IT industry. With constant technological upgrades and the evolution of standards happening all the time, the ability to integrate new processes into existing IT operations is a never-ending challenge.

Similarly, for threat intelligence, it is important that your service provider can provide delivery methods, integration mechanisms and formats that support smooth integration of threat intelligence into your existing security controls.

Proactive cybersecurity

The tips here are just a few of the many other aspects you should consider when looking for an external  threat intelligence service, but they serve as a good stepping stone in bolstering your cybersecurity posture for now.

With threats becoming increasingly complex and malicious, having the latest enterprise security program is no longer sufficient. Adding threat intelligence to your arsenal of cybersecurity countermeasures will allow you to bring the fight to them.

CybersecAsia thanks Yeo for the vendor-agnostic tips.