Considerations for Measuring the Return on Investment of Cyber Threat Intelligence
Security operations centers across the world are consumed with how to measure the return on investment of threat intelligence. There are different schools of thought, but we favor a model that measures actionable events.
One main reason we like actionable events metrics is because they can be tuned to address the broad range of potential users of threat intelligence across the enterprise. With metrics focused on action taken, both traditional threat intelligence consumers like the SOC and users like product, fraud, and marketing can demonstrate the value of an investment in threat intelligence.
For this blog post, we will strictly define use cases within the information security landscape.
With hypothesis-led, defined use cases that focus on signatures and more importantly behavior, threat hunting programs can operationalize threat intelligence by mapping threats to data sources and decision matrices that provide alerts and subsequent action.
As a deliverable, a SOC can then measure the actionable alerts derived from threat intelligence against the total alerts. If captured appropriately, a security program can scale by reducing time to respond with fewer resources.
Use cases can be mapped to data sets and goals:
After understanding the visibility gaps and determining the appropriate coverage map, it’s important for a SOC to determine what use cases are important to them. With these use cases in mind, the SOC can properly prioritize data sources external to their network to make best use of tools that may be expensive and labor intensive to integrate into a SIEM.
Common examples include:
- Company Data in Non-Public Sources
- Malware Not Detected by Current Security Controls
- Threat Actor Activity
- Third Party Compromise
Operationalizing Threat Intelligence
After data sources are aggregated, it’s important for a SOC to provide the appropriate decision matrix when an alert goes off.
For example, an actionable alert could be behaviors like verifying users creating Secure Shell (SSH) tunnels with PuTTY link to forward remote desktop protocol connections to internal hosts within the target environment.
A SOC can count the actionable alerts versus the total alerts and if captured appropriately, a security program can scale by reducing time to respond with fewer resources. Ideally, more actionable intelligence alerts would ideally result in a decrease of alerts related to actual compromise.