Considerations for Measuring the Return on Investment of Cyber Threat Intelligence

by | Jul 19, 2020 | Blog, Outside Intel

Security operations centers across the world are consumed with how to measure the return on investment of threat intelligence. There are different schools of thought, but we favor a model that measures actionable events.

One main reason we like actionable events metrics is because they can be tuned to address the broad range of potential users of threat intelligence across the enterprise. With metrics focused on action taken, both traditional threat intelligence consumers like the SOC and users like product, fraud, and marketing can demonstrate the value of an investment in threat intelligence.

For this blog post, we will strictly define use cases within the information security landscape.

With hypothesis-led, defined use cases that focus on signatures and more importantly behavior, threat hunting programs can operationalize threat intelligence by mapping threats to data sources and decision matrices that provide alerts and subsequent action.

As a deliverable, a SOC can then measure the actionable alerts derived from threat intelligence against the total alerts. If captured appropriately, a security program can scale by reducing time to respond with fewer resources.

Use cases can be mapped to data sets and goals:

After understanding the visibility gaps and determining the appropriate coverage map, it’s important for a SOC to determine what use cases are important to them. With these use cases in mind, the SOC can properly prioritize data sources external to their network to make best use of tools that may be expensive and labor intensive to integrate into a SIEM.

Common examples include:

  • Company Data in Non-Public Sources
  • Malware Not Detected by Current Security Controls
  • Threat Actor Activity
  • Third Party Compromise

Operationalizing Threat Intelligence

After data sources are aggregated, it’s important for a SOC to provide the appropriate decision matrix when an alert goes off.

For example, an actionable alert could be behaviors like verifying users creating Secure Shell (SSH) tunnels with PuTTY link to forward remote desktop protocol connections to internal hosts within the target environment.

A SOC can count the actionable alerts versus the total alerts and if captured appropriately, a security program can scale by reducing time to respond with fewer resources. Ideally, more actionable intelligence alerts would ideally result in a decrease of alerts related to actual compromise.

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks