Threat intelligence is an essential component of modern cybersecurity risk management practices. It helps organizations identify, prioritize, and mitigate security risks, and is becoming increasingly mandatory from a compliance perspective.
An example of such a compliance case is ISO 27001:2022, an international standard that provides a framework for Information Security Management Systems (ISMS). ISO 27001 requires organizations to identify and assess information security risks, and to implement controls to mitigate those risks. One of the new key controls recommended by the Standard (ISO 27001:2022 Annex A control 5.7), is the use of threat intelligence to examine your threat environment, identify emerging threats and vulnerabilities, and potential attack vectors. The standard requires organizations to regularly review and update their risk assessments based on the latest threat intelligence.
Threat intelligence (TI) can assist organizations in making informed decisions about their security posture by providing context to security incidents, thereby helping them to understand the motivations and capabilities of threat actors. This, in turn, enables organizations to prioritize security measures and allocate resources effectively and in the end build an effective security governance process.
Measuring the effectiveness of threat intelligence processes as part of the broader Governance, Risk, and Compliance (GRC) process is critical to ensure that an organization is effectively managing its security risks. CISOs can use various key performance indicators (KPIs) to measure the effectiveness of their threat intelligence program.
One of the fundamental KPIs is Threat Intelligence Coverage. It measures the percentage of the organization’s systems and assets that are covered by threat intelligence. This KPI provides insights into the organization’s security posture and the extent to which the organization is using threat intelligence to identify and mitigate threats. The TI data can be used to augment SIEM, or can be employed to prevent web-based attacks on WAFs, or prevent C2 communications on firewalls.
False Positive Rate (FPR) is one of the most important KPIs to track in threat intelligence. This KPI measures the number of false alarms generated by threat intelligence tools and processes. A high FPR can indicate that the tools are not effective, and a low FPR is generally acceptable in the security industry, with 5% or less being the standard. However, some organizations may require a lower FPR, especially if failure could cause significant operational disruption. In such cases, an FPR of 0.5% or lower may be required.
It’s important to balance a low FPR with a low False Negative Rate (FNR), which measures missed threats. Achieving a balance between the two metrics is critical for an effective TI process. The FPR can be influenced by the quality of the data sources, the accuracy of the TI tools, and the scoring mechanisms used. Leveraging these factors and configuring the parameters can help improve the FPR in real-time detection or prevention.
Another important metric is ROI of Threat Intelligence. This KPI measures the return on investment (ROI) of the threat intelligence program. This KPI provides insights into the financial impact of the threat intelligence program and the effectiveness of the program in reducing security risks. The ROI of threat intelligence is calculated by comparing the cost of the threat intelligence program to the financial benefits it provides, such as the savings resulting from the prevention of security incidents or the reduction in incident response time.
The ROI of threat intelligence is calculated by comparing the cost of the threat intelligence program to the financial benefits it provides, such as the savings resulting from the prevention of security incidents or the reduction in incident response time. To calculate the ROI of Threat Intelligence, the following formula can be used:
ROI of Threat Intelligence = (Financial Benefits of Threat Intelligence – Cost of Threat Intelligence)/ Cost of Threat Intelligence x 100
Financial benefits of Threat Intelligence can include:
- Reduction in incident response time and associated costs
- Reduction in costs associated with downtime or business interruption
- Reduction in costs associated with damage to reputation or loss of customer trust
- Reduction in costs associated with fines or penalties resulting from compliance violations
- Reduction in costs associated with fraud or theft
The cost of the Threat Intelligence program can include:
- Cost of acquiring and maintaining threat intelligence tools and services
- Cost of training and hiring staff
- Cost of time and resources spent on threat intelligence activities
Measuring the ROI of Threat Intelligence can provide insight into the effectiveness of the program and help justify the investment in threat intelligence to stakeholders within the organization.
In conclusion, threat intelligence plays a critical role in modern cybersecurity risk management practices, helping organizations identify, prioritize, and mitigate security risks. ISO 27001:2022 requires organizations to use threat intelligence as a key control to identify and assess information security risks and regularly update their risk assessments. CISOs can use key performance indicators (KPIs) such as Threat Intelligence Coverage, False Positive Rate (FPR), and ROI of Threat Intelligence to measure the effectiveness of their threat intelligence program. Achieving a balance between a low FPR and low False Negative Rate (FNR) is critical for an effective TI process.
By Anna Mikhaylova, Business Development Director at RST Cloud