Security officers who view threat intelligence and risk management as the cornerstone of their security programs may have advantages over peers who face constraints when it comes to taking advantage of the available data.
CISOs are generally tasked with evaluating security controls and assessing their adequacy relative to potential threats to the organization, and its business objectives. Their role in cybersecurity risk management -- the conscious decisions about what the organization is going to do and what it is not going to do to protect assets beyond compliance -- is still hotly debated.
The transition towards risk management is more likely for the 42% enterprises whose security officers report to executives (the board of directors or chief risk officers) outside of the IT organization, according to Gartner. The firm's analysts advise security officers to achieve compliance as a result of a risk-based strategy, but admit that "organizations have not kept pace."
Equinix started to build a customized threat intelligence program about five years ago. The International Business Exchange data center provider uses threat intelligence along with risk assessment to do its "homework" before the company invests its resources in information security or agrees to IT requests from departments with different priorities.
"It doesn't make sense to go and buy a piece of [security] equipment because somebody in sales and marketing says, 'This is a big deal for the company,'" said George Do, global information security director of Equinix, which operates colocation centers in 15 countries. "We have to vet it, and we have to understand: Is this really a threat? What are the threat vectors?
"Sometimes, there is this black orbit, and we are just there for the ride," said Do. "I am always very conscious of that, and I want to make sure that whatever we are spending resources on is truly managing risk."
Metrics that Do reports up the chain of command, starting with the CIO, include data from the last quarter and year on the number of critical instances -- compromised data or critical servers, for example. Because Equinix employees frequently travel all over the world, security incidents, such as malware or backdoors, involving employees' mobile endpoints (laptops and mobile devices) are tracked, as well as employee acceptable-use policy violations.
In addition to capturing incident data, the security team tracks metrics around any attempted cyberattacks against the organization, especially around the perimeter from firewalls, VPN servers and mobile device gateways. "We have a Palo Alto firewall where I can see that [data] very clearly," said Do. "I can present a very simple dashboard to any executive that shows: Hey, at any given second of the day we are being attacked by literally thousands of threats and the firewall is doing its job so it's not like we invested in this for nothing."
While threat intelligence is the foundational piece of risk assessment at Equinix, the use of intelligence data in the security industry is often ad hoc. "It has either plateaued or actually decreased," said Do.
"There are always two sides of the spectrum," he continued. "The companies that are very good at doing SIEM [security information and event management] and all of these intelligence pieces so that the more intelligence or data points that they've added to their infrastructure, the smarter they become."
But the majority of the security teams don't do that. "They are either mired in compliance checkboxes or chasing down shadow IT services. Or there are so many things going on in their universe that there are no resources, or time, left to focus on threat intelligence."