Keeping up with potential threats in any situation can be overwhelming. Here’s an example: Monitoring your children’s consumption of content on the internet — knowing exactly what they are reading or seeing — is a challenge. Even if you’re monitoring the incoming data on your router or using a monitoring software, it can be difficult to understand all the data points and know whether they indicate harmful influences.
Imagine you notice that your child is watching a YouTube video of someone playing a video game, such as “Fortnite.” This might seem like no big deal — a single data point that does not immediately raise concern. Add that data point to another of a news story indicating a rise of YouTube videos on “Fortnite” containing mature or child exploitation material, and it quickly becomes a cause for concern.
If you can correlate the data you use to monitor your child’s internet usage by matching it up to certain YouTube channels or users that have been listed as compromised, then you now have a basis for concern. From here, you can develop a tactical action plan to block those channels and speak to your child about a potentially harmful bit of messaging.
This same model can be applied to understanding threat intelligence within the power industry. Developing a tactical or strategic action plan to mitigate potential security threats is paramount to keeping a facility or organization secure — and it’s more complicated than simply collecting data points.
Data vs. Correlation
It’s a common mistake for organizations to believe that collecting data through their security incident and event manager (SIEM) equals threat intelligence. Collecting data points is the first step, yes, but with literally billions of data points coming in each day, having the ability to sift through and understand that data is the only way to identify potential threats to an organization’s systems.
Real threat intelligence is achieved when an organization correlates its collected data by comparing it against multiple sources of information to support its findings. Unfortunately, many software and security intelligence firms offer multiple ways to collect data points, but very few offer a complete solution to perform real dynamic threat intelligence. This term is used to describe information that has been collected, evaluated for authenticity, processed and enriched for consumption by its intended party to inform the appropriate tactical or strategic action.
To gain real value from threat data points, an organization needs a threat intelligence analyst who can view data points from the SIEM, intelligence platforms, credible news feeds, “darknet” searches and other sources to make the necessary connections and create the actionable threat intelligence plan. It’s a full-time job to correlate this data, and there are clear benefits.
An organization may spend countless time and money collecting data from its systems, but if the data has not been correlated, then an organization may be spending those resources fruitlessly. Threat intelligence analysts can correlate these disparate, raw data points into viable tactical or strategic intelligence for security and operational teams. When used correctly, threat intelligence can become a critical weapon in an organization’s defense posture, putting its security teams one step closer to mitigating potential or actual assailants.
An old manager once told me, “I hate surprises.”
The right threat intelligence can give a chief security officer or team a way to communicate with nontechnical top executives about risks and threats to the organization, as well as the potential political or financial objectives of the threat actors. Providing C-level management with a weekly or monthly plan or report regarding security threats and the actions needed to mitigate them creates a further level of understanding and awareness across the organization.
In reality, the C-Suite really does not care about how many hits there were on the firewall, how much malware was blocked, or what John Doe said about his utility bill on Twitter. These are just cool data points. The art in which the threat intelligence analyst marries the data points together and transforms them into actual threat intelligence should give executives a strategic picture of the threat landscape and how its current security posture will hold up. Collaboratively, the organization then can make better tactical and strategic decisions on how to respond effectively to incidents or potential incidents.
To build and maintain C-Suite engagement in security and threat intelligence, it is important to remember these key points:
- Make sure your threat intelligence is extremely clear on how it will affect the organization (do not become the one who cried wolf).
- Make sure the C-suite has an opportunity to provide feedback on the threat intelligence.
- Make sure the threat intelligence has actions for the C-suite to do.
- Track and share successes along the way.
The Ponemon Institute, an independent research organization, releases a yearly study focused on cybersecurity practices in organizations throughout North America and the United Kingdom. The most recent report indicated that 70 percent of security industry professionals believe threat intelligence is too complex to provide actionable insights. Additionally, these organizations neglect to share data with board members and C-level management, while security teams are generally not optimized to deliver a plan that addresses threat intelligence. Let that sink in for a minute.
All these factors indicate that threat intelligence should become a higher priority among a wide range of industries, including the power industry. Cyberthreats to systems are out there. Having a clear understanding of the issues they can cause and a plan for how to mitigate them improves an organization’s overall cybersecurity posture, ultimately saving time and money.
The number of third-party vendors offering security solutions has exploded, flooding the market. See how to make an effective selection in our article.