The build/buy dilemma of Cyber Threat Intelligence activities
Part 1: the theoretical pros and cons of each option
As Cyber Threat Intelligence (CTI) activities seem to have developed as a core component to mitigate the risk of cyberattacks, organizations face a business decision that ultimately boils down to a build or buy dilemma. Which security functions should be outsourced? What is the business value of developing in-house CTI? Are those technical and human resources durable in the long term? These are questions every manager should ask themselves when deciding whether to build or outsource a security function. This two-part article will dive into the generic and vertical market-driven arguments for either outsourcing or building in-house CTI.
What is CTI and why does it matter?
Cyber Threat Intelligence (CTI) is a form of threat intelligence that is defined by Gartner as “[…] evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets.”
CTI activities can be performed at three levels, namely strategic, operational, and tactical, each one bringing a different value to an organization. The tactical and operational CTI may support Security Operations Centers (SOCs) in the triage and prioritization of security alerts. The strategic CTI produces intelligence reports directed to decision-makers needing a threat landscape overview in order to make informed choices.
The business value of having access to actionable intelligence is the key to understanding the steady development of those activities within organizations. This growth has been monitored by the SANS Institute in an annual survey which reports the trends and evolutions of CTI activities. The results of the survey published in early 2021 show tremendous progress in the use of CTI which has become a reality for 85% of the respondents, compared to only 60% in 2017. Besides, the composition of the panel, with a significant portion of small businesses (24% of the respondents working in an organization with less than 500 employees) demonstrates that CTI seems widely hailed as a norm for enterprises seeking protection of their assets. However, these figures should be taken with caution insofar as the sectors with the highest levels of maturity and awareness towards cyber threats (MSSPs, information sector) are overrepresented. Cybersecurity Service Providers, with more than 70 respondents working in this field, is the industry most represented across the panel.
The pros of outsourcing CTI activities
Actionable Cyber Threat Intelligence relies on a combination of automated tools and human resources able to master these tools. The shortage of highly qualified analysts strengthens the need for automated tools capable of running high-level treatment of information. It can be measured by the ability, for instance, to identify invalid data that could bias the end-product assessment. The lack of automation may flounder internal CTI activities as evidenced by the survey responses of 45% of the respondents, who identified the lack of automation and interoperability as the main barrier to the implementation of CTI within their organization. Thus, outsourcing avoids wasting scarce human resources on automated tasks performed more efficiently by vendors.
The market for CTI has reached a high maturity and most Managed Security Services Providers (MSSPs) have built offerings that include or are entirely dedicated to CTI. In short, CTI has become a core security service. This paradigm shift provides guarantees regarding the level of expertise of the suppliers, the latter relying on both a workforce trained in threat analysis and high-quality tools allowing them to automate low value-added tasks. MSSPs rely on data coming from external resources (e.g. databases superscriptions) which they enrich with primary source intelligence stemming from their own and their customer’s raw telemetry. This information is highly valuable for organizations seeking to have a deeper view of the state of the threat in its sector of activity since the provider offers a panorama of the threat based on concrete elements. Malware detection rules, for instance, will be enriched by the mutualization of internal telemetry of MSSP’s customers. The most relevant threats for a client are the ones targeting the sector in which it operates, outsourcing CTI activities to a MSSP can make sense if the provider’s telemetry and sources focus on one’s core activity.
Any build or buy analysis should focus on the pricing of each option. Putting a price is crucial, yet the metrical value alone does not say much about the quality of the service. Running a cost-effectiveness analysis seems essential. There are two types of costs inherent to the implementation of CTI in a company: 1) set up costs, 2) running costs.
- Set up costs: are comprised of expenses made in the initial phase of the investment so as to ensure the launching of the project. It includes the acquisition of automated tools, the hiring, and training of analysts, the purchase of external sources as well as their integration within the tools and servers which is essential to make them interact with internal telemetry. It should be noted that, even though a lot can be accessed via OSINT, data still need to be selected and treated in order to produce actionable intelligence.
- Running costs: building in-house CTI activities entails running costs at each level of the intelligence cycle. The collection of information to produce intelligence can be fed by free external sources such as open-source CTI feeds or news and media reports. It can also be fueled by specific threat feeds which require a periodic subscription as these feeds are constantly updated. In the former case, running costs include more processing of the information collected by CTI analysts. In the latter case, costs are redistributed upstream, during the collection phase.
On the one hand, in-house CTI capabilities are expansive to develop and maintain. On the other hand, CTI has developed into a core activity within the MSSPs’ ecosystem. Hence, the CTI market is characterized by low margins and economies of scale (service providers distributing costs across clients within the same sector) putting downward pressure on the prices of managed CTI offerings.
In a strategy of differentiation, CTI’s vendors have developed their high-standing offers by allowing customization of the product to the customer’s specific needs. This can result in the integration of external data streams.
The development of the market for CTI has made it attractive for companies to use specialized vendors. Indeed, the maturity of this segment of security services has made expertise in this area essential for MSSPs whose differentiation has been achieved through attractive pricing and catalog offerings that allow for a higher degree of service customization.
The pros of building in-house CTI activities
Despite a strong diversification of MSSPs’ offerings, the choice of an external vendor is not always the solution with the highest added value. Indeed, customization comes with a price that can vary up to threefold depending on the level of sophistication of the offer. Thus, the budgetary constraints of a company can lead it to turn to a generic offer that will not necessarily meet the security needs of the company. A small private company in the defense industry or a public administration may have the obligation to do CTI without having the budget to do so. In this case, the implementation of internal CTI capabilities will allow to better meet the needs by targeting more precise requirements, adapted to the sector in which the company competes.
Low-tier MSSPs’ packages may remain unattainable for small and medium-sized organizations. Yet, performing CTI activities does not necessarily translate into large teams and high-level tools. According to the SANS Institute survey, which highlighted companies of all sizes in relatively mature sectors, less than half of the respondents’ organizations (44,4%) have a dedicated CTI team and 13,8% manage CTI with a unique individual. Having in-house CTI activities can address the demand for security more effectively and enable organizations to grow at their own pace.
Cyber Threat Intelligence, like any form of intelligence, works as a cycle composed of different phases (planning, collection, processing, analysis, and dissemination). The analysis phase produces finished intelligence reports ready to be disseminated across the organization. Having in-house Cyber Threat Intelligence capabilities allows to better disseminate intelligence reports across the different security layers including SOC analysts, a CISO, and incident response teams. Ultimately, stakeholders working in those areas will benefit from working in collaboration with CTI analysts. Companies that operate extensively overseas use information communicated by CTI analysts to educate employees about numerous cyber risks. Likewise, the dissemination of intelligence across various distribution channels can help build a cybersecurity culture by raising employees’ awareness of the cyber threats targeting the organization they work for. Finally, business stakeholders may benefit from better flexibility regarding the adjustments of CTI requirements in case of new orientation. A company may be interested to keep secret his current threat intelligence orientation.
The main theoretical arguments regarding this build/buy dilemma are laid out in this first part. The second part introduces the Return on Investment (ROI) component to provide a vertical market-based approach to this issue.