I am certain that if you’ve worked in cybersecurity for any period of time, you know that this entire industry is full of snake oil merchants.
Identifying the Wheat from the Chaff
It’s definitely not easy to look at the wide range of vendors that proclaim to offer cybersecurity services and spot the ones that can add real value to you in the immediate future and those that cannot.
Whether you have a security practice that is highly mature and has been around for many years, or if you’re just starting on your journey, I can assure you that within a couple of conferences or a few demos of the latest and greatest deep-web dark-web blockchain machine-learning artificial intelligence prediction matrix super platform, you’ll already have a grasp on what you think is utter nonsense and what you feel may actually be able to help you.
High-fidelity indicator of compromise (IOC) feeds
Human intelligence (HUMINT) coverage
Endpoint Detection and Response (EDR)
Dark web
Comprehensive tactics, techniques, and procedures (TTPs)
Suppose you have all of these in a centralized and well-structured platform, well then, why are you bothering reading this book? You’ve hit the mother lode and good luck. Also, add me on LinkedIn when you get the chance.
For most though, the reality is a bit less fortunate. You may have access to an IOC feed, or you may have some level of EDR feeding into a Security Information and Event Management (SIEM) tool or Intrusion Detection/Prevention System (IDS/IPS). For others, you may only just be starting and wondering why you’re still using Windows XP (may it rest in peace).
Antivirus (AV) protection on every device connected to your network.
VPN access for every device outside of your internal network (laptops, mobiles, etc.).
A commercial firewall to help block any intrusions.
An enterprise password management policy that isn’t archaic (see the UK National Cyber Security Centre (NCSC) advice1 on password management for up-to-date ideas on best practice).
Multifactor authentication (MFA) where possible (authenticator apps, biometrics, etc.).
Enforcing the use of password managers and educating staff on establishing secure passwords for every site they need login credentials for (tools such as LastPass are ideal for this).
Adopting patch management processes that don’t miss or need 300 years to get implemented.
Ensuring that all staff receive baseline cybersecurity training that aligns with the UK NCSC’s ten-step guidance.
A central incident management process that pulls together each team in security to get insight and ensure a coherent approach to incident response. Crazy, I know.
Honestly, the threat from most actors would significantly drop if organizations adopted these few simple measures (particularly patch management and adoption of MFA). As I write this chapter in 2020, it’s still not uncommon for organizations to not use MFA, make users change their password every 30/60/90 days, and wonder why staff accounts get hacked… Here’s a clue: forcing users to change passwords arbitrarily usually results in them not really changing their passwords – adding a 1 on the end doesn’t make your password more secure, or a 2, or a 3. You get the idea. It’s a misnomer that this is secure practice – unfortunately, several vendors on the market prey on this kind of behavior.
You soon learn that the majority of vendors who use every buzzword under the sun, or have particularly flashy demonstrations, or offer the best social occasions are most often the worst offenders when it comes to the value of their product. They’ll claim that they do everything for just several tens of thousands of dollars/pounds when their product doesn’t do half of what it claims, and even the things it does well are half-baked and not worth the investment.
This may seem overly harsh, and maybe it is, but I’d posit that cybersecurity, and CTI in particular, is an industry full of snake oil and bollocks. Pardon my CTI vendor language.
What Kinds of Vendors Are There?
IOC feeds – As described, there are a large number of companies providing lists of IOCs for you to monitor/block/lovingly caress as appropriate.
Scrapers – Some well-established companies scrape a large section of the “clear web” and some deep/dark web. They range from companies that only focus on your business to more well-rounded datasets covering threats you may face, the general cyber threat landscape, and what is going on in the world, all indexed and structured together. Depending on your team, your requirements, and your budget, you may find this sort of access very helpful. It can, however, be quite costly.
HUMINT feeds – HUMINT, or human intelligence, is the collection of intelligence derived from human sources. Think your more traditional spy agency, but in vendor space, this is only on the Internet and probably not the attractive person you think you’re chatting with.
Reporting feeds – Companies that have access to network sensors or offer incident response services may then report on the activity they can see and sell that for profit. The largest companies have a solid reputation in this field but can be very expensive. The details, knowledge, and access they have are, however, unparalleled in the private sector. This is likely one of the most important things you’ll purchase if you have an organization large enough to fund it (hundreds of thousands of dollars/pounds at a minimum).
Threat Intelligence Platforms (TIPs) – Not all TIPs are made equal. Depending on your needs and what you want a TIP to do, you’ll find many flavors available, some of which will not suit your needs at all, and some that may be better for what you want. Don’t be drawn in by flashy demos or promises, trial and test them before committing significant amounts of money. Alternatively, you could look at free/open source equivalents such as Malware Information Sharing Platform (MISP) or OpenCTI. You may, however, find you need more personalized support, depending on your requirements. This is where commercial TIP vendors can really earn their money.
Data breach specialists – If you’re at a large company, you probably want to know when your staff accounts are compromised and where. That’s where specialist data breach companies come in. They have unrivaled access to the sort of data that can help you identify gaps in your controls and dates and times of when breaches happen. Combining this information with your other platforms can be a real force multiplier for understanding your risk profile and for preventing significant incidents from happening before it’s too late.
Predictive analysis – There’s a growing trend, at the time of writing, of companies that promise to scan your networks using machine learning or artificial intelligence to spot new gaps and prevent significant incidents from occurring before you can even consider them. It sounds awe-inspiring, and while I wouldn’t rule the ability of their systems to do as advertised, I do, however, wonder if they can provide the level of service they claim and if you couldn’t better use the almost guaranteed exorbitant cost elsewhere in your security posture. An area to keep an eye on for sure, whoever builds the most accurate product for this will likely end up very wealthy indeed.
Where Do You Even Begin? Always Start with Intelligence Requirements
As you can see from what we’ve discussed so far, which is certainly not an exhaustive list of “intelligence providers,” there’s a veritable feast of options to choose from.
What sectors is your business operating in?
What systems and services do you use and want to monitor for threats?
What are the threats you’re most worried about as a business (broken down by your customer areas)?
What other security vendors do you use?
What is your business planning to do in the next X years?
Let’s take a look at each of these questions in turn to ensure you can baseline the requirements for your organization when asked.
What Sectors Is Your Business Operating In?
The first thing to establish when building out your requirements, either internally among your security staff or externally with a commercial vendor, is what sectors/industries does your organization operate in?
This might seem obvious in a large number of examples. Vodafone is a mobile phone network, but Vodafone subsidiaries also own payment companies in Africa that handle a large number of cash and bank transfers. Understanding each business/subsidiary your organization has will allow you to understand better the threats you face and the types of actors who will likely keep you awake at night. If you’re unsure of this, you should always ask around and reach out to necessary individuals. If your team doesn’t have the level of scope for this work, you should ensure this is communicated with vendors and colleagues.
What Systems and Services Do You Use and Want to Monitor for Threats?
When considering a new intelligence provider or solution, you should ensure compatibility with existing services you have and the monitoring service being provided.
If you already have a vendor who provides a specific type of solution (e.g., dark web forum monitoring), you might not want to purchase a second vendor who does the same thing as part of their service. You may be able to find what you need elsewhere as a separate service or combined with a different gap in your visibility.
When it comes to integrating with existing security systems you have, you want to ensure that the new solution will complement the current systems and make the lives of those using them much more straightforward. Can your new provider offer a browser extension that automatically checks the data you already have and provides any matches? Can you import further information seamlessly and save time for already overworked analyst teams? Where possible, you want to avoid your team having to switch windows or tabs endlessly; this is how things get missed, and they help to contribute to analyst fatigue.
Another critical factor in this technology is the level of integration of your new service with that you already have. Can you query your SIEM/IDS/IPS/TIP/etc. directly and see what data is new or needs to be brought in for further analysis? Can you enrich the data from the new provider with other services you may pay for, such as VirusTotal or DomainTools? If you have vulnerability management software, does this new intelligence tool provide data on newly exploited vulnerabilities? Do these two systems communicate? Can you automate this alerting? All potentially massively useful and time-saving solutions for your analysts.
What Are the Threats You’re Worried About As a Business?
This one should be fairly clear. If your organization isn’t particularly concerned about the cyber threat from Southeast Asian script kiddies, why would you buy the super intel feed 3000 for Southeast Asian script kiddies? I’m trite, but a lot of cybersecurity vendors offer the same or very similar services and often hide behind buzzwords or dashboards to push through a sale on systems that you don’t need because you already have six other tools that do the same thing.
Figuring out your unique threat landscape is vital to every organization. You’ll want data and intelligence on wider campaigns of course, but you will need to focus and hone in on things particularly relevant to your business. These threats could be sociopolitical, ethical, religious, activism (and hacktivism), insider, corporate espionage, cybercrime, or the good old-fashioned nation-state – or all the intricate subcategories contained within these broader groups. Your intelligence team needs to understand where the majority of your risks lie and who would be likely to exploit those risks. In the vast majority of cases, and at the risk of being unfashionable, every business still needs to worry about phishing and Business Email Compromise (BEC) fraud. It’s not as sexy as a Russian military spy breaking in and stealing all your information on the fantastic and historic Salisbury Cathedral. Still, it’s the bread and butter for the vast majority of cyber attacks.
You might also have niche risks when compared to the majority of other companies, depending on your business and where it operates. If your company relies on fossil fuels, you face a particular threat from individuals and groups who find your business abhorrent. You will need very tailored, specific intelligence to protect your business and staff when compared to an online retailer whose main cyber threats originate from (probably) Russian-based cybercriminal groups.
By understanding the threats you’re likely to face and need to counter, you give yourself the best possible chance of choosing a cybersecurity vendor who provides high-value intelligence to you when compared to a different vendor who has broader threat data. This might be the difference between avoiding a catastrophic breach and ending up on the headlines of news websites.
What Other Security Vendors Do You Use?
I’ve mentioned this already, but considering what other vendors you already use allows you to identify where your gaps in collection are and if these gaps are critical to you and thus empower you to fill them. It should also enable you to take a more holistic approach across your security systems and think about where you can rationalize services. Maybe one of your vendors has just started a new service that you can knowingly incorporate with a service you already use and possibly cut some costs in the process. This can enable you to put that money to better use elsewhere, ideally in filling one of the gaps you’ve identified in this process.
Integrating new and existing systems should enable your analysts to save time and bolster their productivity, allowing them to focus more on things that are relevant and removing barriers from their existing day jobs. If you’re comparing two different vendors who claim to do the same thing and if one of them has an all-singing, all-dancing list of integrations that work with your existing toolset, you’re more likely to reap the rewards a lot sooner than by taking on a disparate vendor whose tooling may need extensive training and familiarization. This, of course, is assuming that all other things between the two are equal and they provide the same levels of service (this is not always the case).
Many vendors in the CTI space also work collaboratively with each other, so you may find that interoperability between services is a lot stronger than you initially envisage when considering one vendor alone. Thus, it’s always worth considering who they partner or align with and your own requirements. You may get a better deal than you thought possible.
What Is Your Business Planning to Do in the Next X Years?
Cybersecurity, along with most other businesses, relies on long-term, repeat business to survive. Understanding what your organization’s plans are for the mid-long term can help you establish a stable relationship with a vendor when compared to only thinking about the next 12 months.
If your company is keen to expand aggressively, you may want to use this in your negotiations to get more licenses at a better rate, rather than adding them on later at a premium. If the expansion is going to be via mergers and acquisitions (M&A), you might want to consider what services are provided by the vendors you’re negotiating with on competitor intelligence. Suppose your business is diversifying its portfolio over the length of the contract. In that case, you might want to reconsider the industries/sectors each vendor can provide you with intelligence on, mainly if the diversification is into different markets.
Understanding the main business drivers for your organization over the longer term will better enable you to find and build relationships with security vendors who can provide you real value, not just a few beers and a steak every quarter. Suppose you can find vendors who offer a wider range of intelligence that matters to you and your company. In that case, you’re setting yourself up for success, rather than just taking on a different company because they’re cheaper/flashier/have fancier offices etc.
Further Considerations for IRs
Technology
Complexity
Reliability
Risk
Customers
Cost
Source
Actionable
Relevance
Vulnerability
Timeline
Sensitivity
Audience
Geography
Proximity
There are almost certainly going to be other requirements for each individual business. The threat landscape is unique for all of us, but these considerations do at least provide a baseline that will be common for us all. Feel free to add those considerations that are unique for your business or sector and get to defining those requirements!
You may find that someone has previously drawn up a list of IRs for different services/vendors. It’s always worth checking these for things that you may have missed or not considered. It’s also worth considering when these IRs were drawn up and what’s changed in that time. A lot of the time, requirements will change with personnel, and in cybersecurity, that can be a very fast-moving revolving door. Guilty. We all are. Admit it.
IRs should never be a static process. You should always be reviewing and refining them. As the landscape shifts, and new vulnerabilities or attack vectors become prominent, your focus and response should shift. By enabling your intelligence team to take ownership and responsibility of the companies’ IRs and building relationships with vendors, you give everyone the best possible chance of success. As things evolve, you will drop some IRs and add new ones (usually the latter); this is no bad thing and helps demonstrate the value and security being provided to the organization, its clients, and stakeholders.
Intelligence requirements form the baseline for any CTI team. Reviewing and refining them regularly helps to keep your organization protected and helps everyone understand what value you can get from a new vendor or supplier.
What Do You Get for Your Money?
This is arguably the biggest consideration of all when dealing with vendors or suppliers. Cybersecurity solutions are far from cheap and usually end up in the hundreds of thousands of dollars/pounds area. A common issue for many organizations is proving the real value of intelligence when compared to a shiny dashboard that claims X threats stopped this week. Executives love dashboards, especially those pew-pew maps claiming to show cyber attacks in real time. Unfortunately, that’s the world we live in, but do try disconnecting from the Internet when looking at a pew-pew map and see if it still works. Now that is technology!
Proving value in intelligence is hard and is probably why there’s a wide range of services and products that all seem to be the same until you look at them and realize they all do “the same thing” completely differently and at odds with each other. A good CISO will understand this though and will look for what value comes from the outputs of the intelligence team. If the reporting is consistent and of value and provides actionable insight, and you see threats getting identified, triaged, and managed in a timely fashion, then you’re doing well. If everything is on fire, but the dashboard says everything is fine, then you need to have a long, hard think.
It might sound sexy and cutting-edge, but a lot of work in CTI is figuring out which things are actually a threat or of relevance to you and what to do about it. Most of the time, it’s providing IOCs and TTPs to the threat hunting team and the SOC (security operations center); some of the time, it’s about reporting on trends or new attack types. Sometimes, it’s an opportunity to do some training and learn new things, and sometimes everything is on fire as Vladimir Putin has hacked in and everything is broken. Those are the best times.
I hope you can see that understanding the value in a purely monetary sense here is challenging. Some tools may claim to show you an ROI based on how much time it’s possibly saved an analyst, but that’s not precisely clear-cut and is far from an exact science. In my opinion, the best way of evaluating the value you’re getting from your intelligence tools, and the teams using them, is based on the quality of the teams’ output and how they collaborate with the broader security teams. If you’re getting toward a genuine fusion across disciplines, having people with different skillsets working on the same problem to get results, in that case, you’re ahead of the majority of security practices. And that’s awesome.
If you’re reading this and thinking, “Gee this is great, but I’m in a contract with a company that I’m not getting value from,” then all is not lost. Reach out to them, see if they’ve ever been given genuine IRs, and identify what’s changed since their service came on board. Set up regular touchpoint meetings and encourage collaboration between your analysts and theirs. See this as an opportunity to put everything in this chapter into practice; subsequently, see if the quality and level of service improves as a result. If it does, then awesome – you can buy me a beer someday. If not, then you may consider your options when it comes to renewal.
Key Takeaways
Cybersecurity vendors come in all shapes and sizes and all levels of quality and price. You need to identify your requirements, their offering, and a price that suits all parties.
Establishing your own IRs will make the process of identifying a suitable vendor so much simpler. It will also enable your analysts to focus on what really matters and will help to foster collaboration both internally and externally.
Understanding the systems, services, and relationships you already have will have a profound effect on helping you understand what you need from a new supplier. Knowing where your gaps lie will help you to make better decisions with choosing a new service. This is doubly true when considering integrating a new service into your existing systems.
Knowing what your own threat landscape looks like is paramount to success. If you know this, you can remove some vendors from your bidding process who don’t match up with the threats that you face.
Having a solid understanding of your business’s longer-term aspirations will help you to identify areas in which existing or new vendors can help you with your cybersecurity approach as those changes happen.
Defining value from services on cost vs. reward is difficult, but you can still identify successes based on output and the fidelity of work conducted by your teams.
Ensuring your IRs are regularly reviewed, maintained, and actioned by your analysts, encouraging their collaboration with colleagues and vendors, is a good way to bolster existing services and acquire value that you had considered wasn’t there previously.