Intelligence Strategist's Corner

Why Sharing Threat
Intelligence Pays

Christopher Porter | Chief Intelligence Strategist, FireEye

One of the most unpleasant surprises any security team can face is not an encounter with a cyber threat group, but a conversation with the C-suite to ask for an out-of-band patch. That means bringing down some key part of the corporate network, vital for either operations or service delivery, and possibly even customer-facing systems.

This means that the decision is not a technical one made by security experts, but a business risk decision made by leaders with very different backgrounds and weighing factors beyond the SOC and boardroom, all of which can leave security practitioners and executives feeling like the decision-making process behind vulnerability management is opaque, and the resulting patch- or no-patch-call uncertain.

The kind of front-office visibility needed to bring systems down out-of-band can often be best achieved in many enterprises only with media attention that puts pressure on leadership to keep up with the actions of their peers. However, a study by the Vulnerability Intelligence team at FireEye found that even specialist media focused on computer security practitioners often does a poor job at picking which vulnerabilities need to be highlighted up the chain of command.

Front Office Visibility

The FireEye Vulnerability Intelligence team analyzed over 4,000 vulnerability-related news articles and found a focus on branded vulnerabilities such as Meltdown and Spectre (CVE-2017-5715, CVE-2017-5753, and CVE-5754) that often had limited impact, were theoretical, or were not being widely deployed.

But a lack of prominent coverage on unbranded vulnerabilities—even if those vulnerabilities were being exploited in the wild—put companies and governments at imminent risk. In the end, they found that roughly two-thirds of media coverage addressed vulnerabilities for which there was no evidence of exploitation by cyber threat groups at all, anywhere in the world. As you might have guessed, the Vulnerability Intelligence team found that the least amount of coverage was given to unbranded but heavily exploited vulnerabilities such as those affecting Apache Struts (CVE-2017-5638) and the equation editor component of Microsoft Office (CVE-2017-11882).

Chart 1

Ironically, when public interest in computer security is high, media coverage—and therefore momentum for tough business decisions such as out-of-band patching—gets even more off-target. Major spikes in media attention on cyber security in 2014 and 2017 followed newsworthy breaches, and slanted coverage of other cyber incidents toward marketable, branded vulnerabilities without raising attention to more serious but unbranded counterparts.

The frustration security teams sometimes feel highlighting these issues for senior leaders is real, and so is the risk. While the dwell time for undetected compromises fell again this year to a global median of 78 days, according to the latest M-Trends report, that still leaves a long tail of potentially damaging operations where every day of quicker remediation, mitigation or patching counts.

Chart 2
Chart 3

As your organization’s security operations mature, be sure to build bonds for sharing threat intelligence and best practices not just with your peers across industry but within your organization’s leadership team as well. Establish a regular cadence for briefings—even if it’s just every few weeks or once a month—where you can explain the risks posed by some of what’s in the news and help your non-technical leaders sort through real risks and differentiate them from those that are just well-marketed. If you need extra context for what others in your industry and around the world are experiencing with regard to a new exploit and how the bad guys may be using it, tap FireEye Expertise on Demand to talk to our expert Vulnerability Intelligence analysts and incident responders. And be ready to learn, from your leadership, how your team’s views on risk differ from institutional business risk decisions.