NIST SP 800-137

According to ESG Research, 65% use external threat intelligence (i.e. open source or commercial threat information) as part of their overall security analytics activities. This is yet another factor driving the intersection of big data and security analytics. Of those enterprises that consume commercial threat intelligence, 29% say that it is “highly effective” in helping their organization address risk while another 66% say that commercial intelligence is “somewhat effective” in helping their organization address risk.

So how do some of the organizations use commercial threat intelligence so that it “highly effective” in helping them reduce IT risk? ESG did some further data analysis to find out. It turns out that these enterprises:

1. Security intelligence is used to support other security objectives. Rather than use security intelligence as a secondary data sources, “highly effective” organizations tended to have specific use cases and metrics for security intelligence. For example, many included security intelligence into formal risk management programs in order to fine-tune security controls, launch impromptu vulnerability scans, or lock-down systems.

2. Security intelligence feeds are integrated into SIEM and GRC tools. “Highly effective” push data feeds directly into their security management and analytics technologies in order to correlate external threat intelligence with internal status and activities. Interestingly, these firms are also replacing security point tools with centralized enterprise-class security management systems. Clearly these “highly effective” organizations are also on the leading edge of big data security analytics.

3. Highly effective organizations share security intelligence across the organizations. These enterprises seem to get their money’s worth as they make sure that security, risk, compliance, privacy, IT, and executive managers have access to customized views of security intelligence that can help them with their individual tasks and responsibilities.

4. Highly effective organizations supplement security intelligence with external expertise. Risk management and incident detection/response are difficult activities requiring resources and expertise. Given the current security skills shortage, “highly effective” enterprises are most likely to turn to professional and/or managed service providers for help in these areas.

Leading security vendors like IBM, McAfee, RSA, Sourcefire, and Symantec provided out-of-box security intelligence into their latest security management technologies. There are numerous industry Information Sharing and Analysis Centers (ISACs) for exchanging security data. The U.S. Federal government wants to increase public/private partnerships for security data sharing. All of these efforts are intended to make new sources of security data “highly effective” resources for risk management and incident detection/response. Following the 4 steps described above could really help industry consortiums and individual organizations achieve these goals.