​​How to Set Security Budget and Controls to Identify Threats Faster
Published Dec 08 2022 09:00 AM 4,853 Views

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. Long-term security expert, Lauren Podber, who recently joined Microsoft, sat down with us to share her views on how she has used threat intelligence throughout her career and offer perspectives on some current threats.  

 

Brooke: How do you operationalize threat intelligence? 

Lauren: Threat intelligence is a way to bound uncertainty. At a high level, the first thing to do is to identify and prioritize customers. These might be internal, such as your internal detection engineering or risk teams or an executive, or external customers.  

 

The second thing I like to do is to really understand the decisions they need to make in a granular way and get a sense of their responsibilities. For example, a detection engineer might need help prioritizing behavior so they can write detection logic. A risk analyst might want to know if they are looking at the “right” risks given their threat model. An executive might want to right-size the security program, prioritize IT or engineering initiatives, and build confidence in the tooling and datasets their program uses. 

 

The third is to understand in what form your customers want or need their information. An executive might want two paragraphs of clear qualitative synthesis, whereas somebody in a SOC or an investigator might want indicators of compromise, behaviors, or inputs in a different context. 

 

The last thing I try to do is to understand the constraints. What data do you have? Given that, what’s feasible and how good of an answer can you expect to give people?  

 

With those four things -- the customers, the decisions, the form of the information, and the constraints – how do you synthesize that same corpus of information, those threats that you care about, in different ways to meet the different needs of those varying stakeholders? That's where I would start when it comes to operationalizing. 

 
Brooke: How do you get executive leadership buy-in for operationalizing threat intelligence? 

Lauren: Obviously, that is something you refine over time and its ongoing, but I’ve generally relied on four strategies. The first is to clarify the goal and make sure everybody is trying to answer the same question or solve the same problem. Sometimes, leadership will ask a question and it comes in the form of a how versus a what or a why. Make sure you really understand their goal. For example, someone might ask should I block inbound e-mail with a country-specific domain? Maybe, but it depends on what the goal is and what they want to do. Being really clear of what and why versus how is that first thing and making sure you're solving for that.

 

The second strategy is understanding preferences or constraints. There are going to be different ways to achieve that objective. When you think about how to rack and stack, you want to understand those preferences or constraints so that you can account for those. 

 

The third is when you are making a recommendation, communicate how your recommendation achieves that goal, what the pros and cons are, and why you're making that recommendation. Being able to synthesize that clearly is helpful if it makes the logic transparent. 

 

The last thing is being flexible in your thinking and in your discussion. Sometimes, what an intel team thinks makes sense and what your leadership thinks makes sense might be different. You want to be able to understand and account for both. 

 

Establish credibility over time. If you are consistently showing what question you asked and the information used to answer it, and you are clear about the way you came to that conclusion, that helps you build trust and credibility.  

 
Brooke: How does an organization get started on developing a threat intelligence response? 

Lauren: When you are developing threat intelligence, go back to your goal. Who are your customers and what do they need? What you do when you build your threat intelligence program is going to vary so much depending on your consumers. If that consumer is a SOC, the types of questions you ask and the kind of information you disseminate are going to be really different than if you're adding some context for a team that does risk or makes business decisions.  

 

Then, figure out the information you need to answer those questions. Using your own data is always a good starting point. What incidents have you had in the past? What are you seeing in your controls or sensors? Augment that with other information. Prioritize those decisions that people need intel to make or where somebody would benefit from getting threat context. Does that help them generate a hypothesis or build confidence in something or ask different questions? 

 

Over time, assess if you are adding value and shaping or informing decisions that your stakeholders need to make. 

 
 
Brooke: Why is human-operated ransomware such a threat now? 

Lauren: One of the things that makes human-operated ransomware uniquely impactful is that there are people behind these keyboards and they are making decisions at each stage of the compromise based on what they find. Adversaries can pivot in real time to things like a misconfiguration or an overly privileged account. 

 

When you think about specializing cloud or infrastructure, you see this economy of scale because you can develop or build one thing that you are good at and purchase other capabilities or outsource them. Ransomware-as-a-service uses scale the way legitimate businesses do. But in the legitimate world, you have compliance and legal and regulatory and you have barriers to entry whereas attackers get the benefit of that economy of scale without the friction of regulations.  

 

Another reason it is so impactful is the pivot to remote work. In many cases, people rolled out remote work technology without having optimized for security out of necessity and the business criticality of doing that quickly, so there are likely misconfigurations that operators can exploit.  

The last thing is the low barrier to entry. There is no onus on an operator to develop technical acumen or skill, so being able to purchase those capabilities as a commodity and carry out attacks with tactics, techniques and procedures that were once the exclusive purview of a highly resourced or sophisticated actor is insane. You have more capabilities that everybody can buy and here is a larger and more vulnerable attack surface. The bigger the attack surface, the more opportunities for more operators to carry out more attacks. 

 
Brooke: How do you track and measure the value of threat intelligence?  

Lauren: There are the basic components that you would see for any intel: Is it timely? Is it accurate? Is it relevant? Is it in the hands of the right people? 

 

A big question with threat intelligence is understanding whether customers are using the information to inform decisions. You ask stakeholders, “Do you use our intel?” and maybe they say yes, but I think the better question, after they say yes, is to ask, “How?” If a customer can explain, “I use this to prioritize my backlog of detections” or “I use this one input when I'm racking and stacking things in my risk roster,” that gives me confidence that somebody is using it. 

 

There are probably some numeric metrics. Are you detecting the right things? Did threat intelligence inform a hunt hypothesis that led to a finding? 

 

When you're thinking about incident response and you're scoping an incident, are you able to generate a hypothesis more quickly? Those are things that you can't really compare overnight, but over time. You think about, “Hey, is this enabling A-Team to work really well?”  

 

There is probably also a metric around looking at your data or looking at the tools you have. Maybe a CISO or another senior person can ask, “Do I have like the right tools and the right program for security based on the threats that I see, my resources and my risk tolerance?” So, being able to inform your decisions is helpful. None of these are written metrics, but I think if people can explain the decisions they make and use information about threats to inform bigger things like risk or strategy, that's a win. 

 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

Co-Authors
Version history
Last update:
‎Dec 07 2022 10:52 AM
Updated by: