Larry Ponemon, chairman and founder of the Ponemon Institute, talks with Wyatt Kash about the growing need for enterprises to leverage the right kind of threat intelligence. The conversation comes as the Ponemon Institute recently conducted a survey sponsored by Anomali that found organizations are increasingly interested in using threat intelligence to secure their enterprises. However, Ponemon gives advice on how threat intelligence goes beyond plug-and-play. There are ways enterprises need to tailor their feeds, along with configurations challenges that have to be overcome so performance remains optimal. The two also discuss ways enterprises can avoid information overload by using threat intelligence to find actionable information instead of contributing to a data deluge.
Welcome to CyberScoop's podcast series on threat intelligence, brought to you today, by Anomali. I'm your host, Wyatt Kash. And in today's episode, we're talking about the value of threat intelligence, and the findings of a new study by the Ponemon Institute, about how more than 1,000 IT and IT security practitioners are integrating threat intelligence with existing security platforms and technologies. Our special guest today is Larry Ponemon, Chairman and Founder of the Ponemon Institute, a research think tank dedicated to advancing privacy, data protection, and information security practices. Larry, welcome to the program. Thank you, Wyatt. It's a pleasure being here. Well, let's get started. I believe our listeners would certainly agree on the importance of incorporating threat intelligence into their security operations, and your new study seems to support that. Tell us a little more about the findings of your latest research and, perhaps, about what surprised you about what you learned from the study. First, I want to thank my sponsor, Anomali, for sponsoring this important piece of research. We've been doing this for the past two years, and I think we're going to do this over the long haul so we'll probably want to do a webinar over the next four or five years to see if the world has changed with respect to threat intelligence. The scope of our project, as you mentioned, included IT and IT security practitioners in both the United States and the United Kingdom. In total, we had and if you know something about research, that's a pretty good sample size. Absolutely. What were maybe some of the highlights from that study that you'd like to share? Number one, I think it's important to note that threat intelligence continues to be an essential or very important component to a company's IT cyber security program. We looked at the perceived importance, or value, of threat intelligence and last year, 77% of our sample said, that it was essential or very important. This year, that number is 86%. So it was important last year, it's even more important this year. Another, I think, really interesting fact is enterprise deployment of threat intelligence technologies and platforms is definitely on the rise. It's actually up more than 10% from last year. So all of these facts suggest that threat intelligence is here to stay. And if you're not doing it as a company, you probably need to consider doing it in the near future. Well, let's dive a little deeper, what would you tell organizations that aren't fully utilizing threat intelligence, are some of the primary benefits they're missing. And what the state of the art threat intelligence tools can offer them. Despite perceived importance, there remains to be barriers to success. Basically, overcoming these barriers is necessary in order to get maximum value out of the threat intelligence technologies or platforms. A, number one on the list, is just lack of in-house expertise. People who use threat intelligence really need to have an understanding, some background in how to incorporate this information into your decision making process. And if you don't have the right people, it's very hard to accomplish that mission. Another problem is too much complexity in the use of sharing of intelligence information. It's very complex, quite frankly, and it integrates into like your IDS, IPS, SIM. It requires a lot of effort to make that work, it's doable, but it's not that easy to overcome the complexity issue. Also, another issue is the information overload or information clutter. There's a lot of information that may be irrelevant, but you don't know it, and you have to consider it. And then, finally, as I mentioned a couple of seconds ago, it's difficult to integrate. Integration difficulties in both IDS, SIM, and traffic monitoring systems, it remains to be not insurmountable problem, but a big issue in terms of getting maximum value out of your threat intelligence system. I think it might be helpful to also distinguish threat intelligence from a lot of the other security tools that are out there. We know there's a lot of alert systems. How would you characterize what threat intelligence is about distinct from some of those other tools? Fundamentally, threat intelligence is about early detection of potential cyber attacks. I think this is kind of a good example to illustrate. Someone say, rings your doorbell and this is pretty normal behavior. You don't worry about it. Someone's ringing your doorbell, maybe they're going to sell you Girl Scout cookies, that's a good thing. But if you knew in advance that the person ringing the bell was on the FBI's Most Wanted List, would you drop everything and call 911? Probably, you would. So in that simple example, threat intelligence is basically giving the information to really stop, very early in the process, an attack or cyber abuse. And, basically, if you do that right, obviously, you're going to save your organization a ton of dollars because it's very expensive-- from another Ponemon study-- to basically deal with cyber attacks. Well, you mentioned some of the challenges organizations are facing to take full advantage of threat intelligence, work force being one of them, but one of the other areas of concern is that it may diminish performance, that is, by integrating threat intelligence into your security architecture, you might bog it down. What would you say to organizations about that concern? Well, is the beauty of a platform solution. Basically, if you have a platform, based on the research that we've done-- generally speaking-- the degradation problem is not significant. It's not even noticeable, in most cases. But, again, it requires you to build your process, integrate your different technologies in a way that's efficient. If you don't integrate it well, you will have degradation. But if you implement it appropriately and have the right people and process in place, you're not going to see, in general, significant degredation. But this is why companies probably should consider a platform-type solution rather than a point solution because point solutions are normally very difficult to implement and integrate into your existing security arsenal. Also, I'd like to pursue the ideas of what advice you would share with the organization and getting maximum value from it. Great question, and, basically, I think the number one challenge-- but it is not insurmountable, as I mentioned before, but it's a very big step you have to overcome-- making sure that you have a way of dealing with information overload. Threat intelligence, the systems like Anomali, for example, prioritizing information that you need to consider. And I think this is where machine learning and artificial intelligence will play a very important part of the threat intelligence technologies in the future. Again, overcoming the information overload problem. If you do that, also, you reduce type two false positive as well as false negative types of problems that are very, very costly for organizations because you don't know what to change. And so you may miss it or you may actually find it but you won't even know that you found it because it's just too much information. So overcoming information complexity, then, as I mentioned before, another challenge is recruiting and employing skilled personnel. Or for smaller organizations, finding a managed security solution provider that can help. Let's talk a little further about how we use that information for upper management. I noticed in your study, for example, that you asked how threat intelligence is used to educate senior executives and the board of directors, and, apparently, only about 38% of the folks that you surveyed this year said they do that. About half said that they're not using it. What would you say to the audience, in general, about the importance of threat intelligence to a larger audience? Because threat intelligence, I think when we think about it and the users of threat intelligence, we think about it from a technical point of view. These are the people in the front lines of security, and they need this intelligence in order to do their work. In order to improve upon the effectiveness of their company security posture. But also, threat intelligence provide some, I think, very interesting information that, if organized appropriately, could be helpful to raising awareness and ultimately, entertaining your C-level executives, as well as the board of directors. Despite that, as you mentioned, the results of our study suggest that we have a long way to go. There are a lot of organizations that really don't communicate this type of information to the board. And even if they did, the board might not have a full understanding of it because they also need to be educated as well. Any last advice to our audience? What else they should be considering as they look towards threat intelligence platforms and making better use of it? I think there are two things that are very important that come to mind immediately. Number one, find a solution that supports your company's security mission. There are different tools, different types of tools. Some are using artificial intelligence and machine learning. Others are using big data analytics and so on. There are big differences in these different types of technologies, all giving you information that could be useful as threat intelligence information. So find a solution and build a solution that basically supports your security mission. Another related issue is building a governance structure that supports the effective use and, ultimately, the full dissemination of intelligence throughout the organization. I didn't mention that, but that's a problem for many companies. They get the information, but they don't actually disseminate it fast enough so the information is not actionable. So building the governance structure around the technology, I think, could be very, very helpful. Well I wish we had a little more time today, but Larry Poneman, thanks so much for joining us to talk about the threat intelligence, and how it can add value to organizations. And talking a little more about your new report, the Value of Threat Intelligence, the Second Annual Study of North American and United Kingdom companies. And we'll make sure that link's available to our readers. And, of course, we'd like to thank Anomali for making today's episode possible. [MUSIC PLAYING] You can look for more of our coverage on cyber security and threat intelligence on cyberscoop.com. This is Wyatt Kash. Thanks for tuning in today.