Beyond Compliance: Security Based on Threat Intelligence

In my role as Senior Director of Rackspace Security Operations, I regularly discuss complex businesses and security challenges with chief security officers and other business security professionals.

Abundantly clear from these discussions is that securing an enterprise today is a complicated business. Information technology continues to evolve at unprecedented speeds, challenging businesses to evolve at a corresponding pace. Companies should insist on benefitting from the industry’s innovators and the technology platforms they create. In this constantly changing and evolving environment, which spans every technology platform and every geographical region, modern security organizations are charged with two distinct missions:

• Enable the business. That means helping a company manage risk to the extent that it can do what it needs to do to deliver outcomes to customers.
• Minimize business impact. The hard truth is, we know organizations will be attacked; when it happens, security teams must have the visibility and capability to protect critical assets and minimize impact.

Cyber criminals are innovating, too

Delivering on these two missions is not a trivial endeavor, but the challenge is more complicated by a changing threat landscape often overlooked when determining what is required to protect organizations. Just like the businesses we defend, cyber criminals are innovating and taking advantage of new technologies in order to achieve their goals.

Take all of this complexity and add in the much publicized global security skills shortage and it’s not surprising that many organizations, unsure where to turn, too often focus on ‘compliance’ as the answer. By that I mean looking at regulations like HIPAA, GDPR, PCI or even internal company checklists as a proxy for comprehensive security practices.

Compliance is a business imperative and rightly plays a significant role in the daily life of a security team. But it’s intended to ensure a baseline standard of controls and to confirm that best practices are being followed.

When combined with a security framework, compliance is a good start and a useful checklist for approaching a security program, but it's a reaction to what has already happened and what has already been documented. For cyber criminals, it represents a known puzzle they must solve; unfortunately for defenders, it’s a puzzle they’ve solved many times. Consequently, the evening news is full stories about ‘compliant’ companies that have been breached.

Security beyond compliance

Building and maintaining an effective security program requires a clear and detailed understanding in three critical areas:

• The threat: who is attacking us? What are their goals? How are they attacking us?
• Mitigating capabilities: what do we need in place to mitigate the threats that we face?
• Capability requirements: in terms of people, process and technology, what do we need to deliver on those capabilities?

All three areas are dynamic. And it’s important to remember that we are building an operation to defend against an army of cyber criminals, not an army of compliance auditors. Our adversaries are experts in their field, who are constantly evolving their technology as well as their tactics, techniques and procedures, or TTPs. In many cases, they’re evolving them in order to circumvent the very ‘best practices’ we’ve put in place and use to sail through compliance audits.

In order to effectively defend the enterprise, it’s important that we are first and foremost informed about who and what we are defending against.

The role of threat intelligence

The role of threat intelligence is critical here. All too often I hear security leaders talking about how threat intelligence must be ‘actionable’; invariably they are referring to a piece of intelligence that can be automated into our tools, or intelligence that can be used to generate a cyber hunt mission. I agree that this tactical support to operations is critical, but threat intelligence should play a far greater role.

[Read more: Finally, a Truly Secure Approach to Threat Intelligence]

Threat intelligence teams can tell us what bad guys are doing, how they are evolving and what technologies they are exploiting. It can tell us how the risk to our businesses may change based on the geographical region that we choose to expand into, or the change in risk that may be associated with partnering with a particular organization, or industry vertical. Failure to identify specific threats means an inability to build the capabilities needed to defend against those threats. I would argue that this represents strategic support to operations, and not only is it ‘actionable,’ it’s foundational.

The level of expertise, technical capability and oversight needed to stay on top of the threat landscape, and build an operation agile and resilient enough to keep up with those threats is challenging for any team. The ‘buy, partner, or build’ question is a valid one, and the answer should, at least in some part, be driven by how best to consume and react to what threat intelligence tells us about our enemies and how to defeat them.

Compliance is a very important standard to attain, but when it becomes the bar by which we measure the success of the security team, the evening news is waiting.