The cybersecurity labor crunch highlights gaps in threat intelligence practices

In Greek mythology, Sisyphus, the King of Corinth, was punished by Hades by being forced to roll a huge stone up a hill, only to have it roll down again as soon as he reached the summit, and then have the process repeat ad infinitum. The Paradox of Sisyphus exemplifies the modern state of cybersecurity.

threat intelligence practices

More organizations are deploying a deluge of disparate security tools only to have one incident hinder the entire momentum. The story does not end here. Like Sisyphus, organizations continue to repeat the futile process with new budgetary allocations, compliance investigations and deployment of more security tools without looking inwards to understand what needs to reform.

The security paradox is further complicated by both the rapid and continuous expansion of the attack surface and the worsening labor crunch. The growth of the cloud, mobile computing and the Internet of Things (IoT) has greatly expanded the size of networks, leaving teams with more cyber territory to protect, and more vulnerabilities to account for.

Meanwhile, education and training institutions have lagged in keeping pace with the changing realities of the threat landscape. On one hand, we have well-funded, highly skilled and motivated state-sponsored cybercriminals who are adept in delivering sophisticated malicious payloads via complex delivery mechanisms, while on the other hand, we have overburdened white-collared cybercops obligated to work within the confines of their organization’s security policy with limited resources and budgetary allocations.

In an effort to keep up with the shortage of hands, organizations are deploying more—and more varied—security technologies, only to exacerbate the problem, by giving the limited workforce more tools and alerts to keep track of, including a deluge of false positives, to analyze and act on.

Additionally, when a deluge of alerts, hits understaffed security teams, it magnifies the problem. The one glimmer of hope is the single factor connecting these disparate security technologies is that of threat intelligence – either they generate it or leverage it to respond to and contain security threats. Unfortunately, the current approach to cyber threat intelligence practices is falling short of the industry’s needs and requires a complete overhaul. Organizations need to take a step back and refocus on the critical aspects of threat intelligence management.

In an ideal scenario, threat intelligence must provide relief from the labor crunch faced by organizations by acting as a force multiplier for security teams. It should help in predicting attacks and mounting a preemptive response. It should serve as a knowledge enhancer on threats that organizations can quickly act upon to achieve the desired outcomes.

However, if the threat intelligence collected does not get converted into actionable insights, it is essentially of no value to the organization and only complicates the woes of the labor crunch. Another critical aspect of threat intelligence management is the identification of the most relevant threat intelligence amidst the noisy signals. Analyzing irrelevant threats does not move the needle in terms of the organization’s cybersecurity posture and is a waste of time for security teams facing a talent shortage.

With a barrage of threat alerts received daily, organizations need well-defined processes and capable solutions to filter through the alerts. By ranking and prioritizing threat indicators based on contextual factors such as geographical location, industry sector, target system, etc., or by validating threat indicators in a trusted collaborative environment, security teams can smartly overcome alert fatigue and beat the challenge posed by a lack of hands.

Further, improved threat intelligence sharing practices could prove an effective antidote to the perennial and sector-agnostic cybersecurity labor crunch issue. Organizations could come together to break barriers and join hands through information sharing communities. When different security teams start exchanging threat intelligence, it becomes much easier to identify pieces of the larger picture of the threat environment.

This becomes especially effective in preventing damages from attack campaigns that target organizations in a particular sector, or organizations affected by a shared set of attack vectors. The cybersecurity ecosystem consists of many diverse stakeholders including private sector organizations, government departments, industry associations, regulatory agencies, non-profits, security researchers and more.

This complex ecosystem often lacks a united front against adversaries who learn from each other every day. To address this, threat intelligence sharing and collaboration must be adopted as an integral part of security operations.

At present, there are several sectoral Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs) and other consortiums that facilitate information sharing to enhance collaboration between the good actors. By combining efforts of disparate teams and becoming a member of such sharing communities, organizations can leverage economies of scale to identify, predict and defend against the smartest threat actors.

It is easy to look at the widely reported labor crunch in the cybersecurity sector as an added challenge for organizations worldwide. However, with every crisis also come new opportunities. Necessity is not only the mother of invention, but also prevention. The famous English proverb could be modified to fit into the existing realities of threat intelligence management. The current scenario presents a golden opportunity for organizations to smartly adapt their threat intelligence practices to hit the two birds of security threats and labor crunch with one stone.

Don't miss