MSPs and Cyber Threat Intelligence (CTI): Five Business Use Cases
“Cyber threat intelligence” is one of those terms that sounds inherently attractive to MSPs; info that helps you deliver smarter and more effective protection for your clients, what’s not to like? But what precisely is it? And more importantly, how can MSPs make use of it as strategic business asset?
Simply put, cyber threat intelligence (CTI) is a collection of information gathered from sources—both human and electronic—that are internal as well as external to your organization. This information is typically processed through some type of evaluation to verify its validity, and then it’s employed to provide context about the conditions necessary for a threat to exploit a vulnerability; it’s also used to determine if the threat is being actively used by threat actors.
Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets.” Thus for threat intelligence to have context for an MSP, your clients’ organizations must have deficiencies or vulnerabilities (e.g., immature security controls, unpatched or misconfigured hardware/software assets, or undocumented business processes).
Obviously, every organization and its networks have deficiencies; the MSP’s task is to understand these vulnerabilities, have visibility into the risk they place on each of their clients, and prioritize what needs to be remediated first by using strategic services such as CTI.
Where to Acquire CTI
For an MSP to use CTI, it first needs to make some decisions on what sources to use for its threat information. As noted above, MSPs can access multiple sources of threat intelligence, both internal and external:
Internal threat intelligence: This is information that is already within your organization, which your IT team has collected from previous experiences with vulnerabilities, malware incidents and data breaches.
External threat intelligence: To augment your internal sources, you can subscribe to multiple external CTI data sources. Some of these sources are digital data feeds incorporated as a module, or service directly into security endpoint solutions or deployed assets like firewalls and security gateways. Other sources will be in a report format, available through email or a CTI portal.
Five Business Use Cases for CTI
After you have selected the CTI sources for your threat intelligence program, you should consider the following five use cases under which this information can be leveraged to provide value and reduce risk exposure:
1. Improved Network Security Operations: CTI can help boost the performance of your installed technology suite; next-generation firewalls, IDS/IPS systems, and secure web gateways are just some of the technologies that apply rules to block malicious traffic. CTI can be used to validate threat indicators, malware signatures, domain reputations and can help reduce false positives. Using streaming CTI as a service built into your security devices enables you to take advantage of near real-time threat analysis.
2. Patch Management Prioritization: Patch management is a primary security control for MSPs, and has become even more essential as cybercriminals uncover new vulnerabilities. Software vendors work to eliminate those vulnerabilities by releasing frequent patches, and MSPs must rapidly deploy them to block the latest security threats. Unfortunately, this process is time-consuming; even with automated patch management solutions you still need to prioritize which patches to apply.
CTI can help your patch management team more efficiently prioritize patches, enabling them to deploy patches based on vulnerabilities that are being actively exploited and are applicable to the current business environment, rather than based on a CVSS score.
3. Security Operations: Your clients may generate more event alerts than you can properly investigate, forcing you to triage which events need investigation when time permits or which events look normal and may be ignored. Here CTI can provide you situational awareness, attaching risk scores to threat indicators so you’ll know when to query the threat database to investigate a high-priority threat anomaly. You’ll save time and get contextual threat data on the events you’re investigating.
4. Attack/Threat Analysis: CTI can assist your team when they’re responding to an active cyber incident. When the attack is first detected, CTI can provide insight into who may be behind the attack, the tactics, and tools used to initiate the attack and the likely impact on your client’s organization. For example, CTI can be used during your incident response to obtain real-time information when you’re triaging the event and to find recommended procedures to halt the incident and clean up its aftereffects.
5. Triage & Remediation: CTI can be used by your IT team to document and uncover the impact of a breach event. Unfortunately, cybercriminals will conduct attacks in waves using multiple tools and techniques. By using CTI, your team will know which indicators to look for as they search through the debris left after an intrusion incident. Using CTI in this way provides context to IT teams so they can quickly search for and remove any attacker’s residual connections from the network.
While the concept of cyber threat intelligence is compelling in the abstract, its practical benefits make it even more appealing. An important strategic asset for MSPs, CTI enables you to boost the effectiveness and efficiency of your security solutions while delivering greater protection for your clients.