Trend Micro User Research
Discover the Needs of the Person in Charge
CISOs' Needs of Cyber Threat Intelligence
Proposed by HIE User Researcher
Joseph Yeh | Senior UXR
Monly Zhuang | UXR intern
Research Overview
-
Project Duration: 2 months
-
Conducted in-depth interviews with the most executive security leaders of U.S. organizations
-
Clarify 3 key TI usage motivations and scenarios, and E2E processes
-
Integrate demand pain points and TM's advantages, and propose 3 key business strategies.
-
The proposed product value proposition has been officially adopted and released.
Research Background
"Threat Intelligence" still remains a critical unknown area
Threat Intelligence (TI) is critical information for VLM and high-risk industries, which serves not only to mitigate the likelihood of attacks but also to enhance crisis response capabilities. In the past, Trend Micro focused on threat detection and response, and had not yet developed early-stage threat prevention-related solutions, such as "TI".
The Chief Information Security Officer (CISO) assumes a pivotal role in determining the acquisition of TI solutions. Thus, this study commences by examining the requirements of our main customer, American CISOs, regarding TI and delves into the forms of TI and the associated processes necessary for crafting pertinent product strategies.
Research Objective
In this research, we would like to know...
Motivation &
Use Cases
1
E2E Process
2
CISOs' Motivation, Use cases, and E2E process to apply Cyber Threat Intelligence in works.
Positioning
Trend Product
3
And find out the most valuable strategy for TM.
Introduction | What is Threat Intelligence
Threat Intelligence is knowledge of attack, and risk
There are 4 types of TI, Strategic, Operational, Tactical, and Technical.
For CISOs, they are more inclined to utilize Strategic and Operational Threat Intelligence, which is conveyed in human language and encompasses information essential for preemptive measures before an attack or for managing situations post-attack.
Threat Intelligence can be conveyed in diverse
For CISOs, they are more likely to digest high-level TI through podcasts, blogs, forums, and emails.
Delivery Format
TI Venders
Research Method
Transform User Interviews to Business Strategies
User
Research
1.5 month
-
Interviewee Recruitment
-
User Interviews
-
Analysis: use case and E2E processes
Strategy Development
0.5 month
-
Defined Target Audience
-
TI Product Value and Purpose
-
Key Features Suggestions
In this research, we interviewed the Cyber Security Executive Managers from the U.S.
The participants of this research were selected from the members listed in the PM OPS (the team responsible for customer communication) customer list.
All members on this list are customers of significant importance, prompting the PM OPS team to hold weekly meetings to address issues or gather their requirements.
Research Insight
Use cases, E2E Process
3 Major Use Cases for CISOs to
Apply Cyber Threat Intel in Works
Use Case 1.
Ensure to Meet Gov. Compliance
Government (US-CERT), is the primary TI provider
1. Adjust the environment to suit the policy
Gov. will email TI to CISOs from vulnerabilities to the policies covering all software and endpoint devices. The institute members need to filter out the related issues and prioritize the severity to decide whether to adjust their environment.
"Sometimes the emails will marked like red or amber, then I would pay attention to them because they're more likely a serious event. I'll see if that email applies to what we're doing."
2. Enrich the TI community through the reporting mechanism
The US Gov. established a TI community by reporting mechanism:
-
Upon receiving critical or related TI, the enrolled members must follow the instructions, then ask the SOC team to fill out the fixed format questionnaire of US-CERT to ensure the threat is being handled and enrich the solution toward the threat.
-
On the other hand, if the enrolled members met a new threat, they also had to fill out the questionnaire of US-CERT to enrich the TI community.
"If you encounter a data breach, you need to fill out a questionnaire of US-CERT, because they need to collect that information and deliver it to other CIOs. And the companies that encounter ransomware, data breach must report to us-cert within 72 hours."
For CISO, it's also critical to "Play It Safe"
In government institutes, the biggest goal of the CIO/CISO is to keep their jobs, so the decision would tend to be conservative, like using products with Gov. recommended or good reputations and changing the inner environment to meet the policies announced by Gov.
I wanted to replace our endpoint protection before, and deloitte offered 3 best-selling products in the U.S., McAfee, Symantec & Trend Mirco; I chose Symantec but for TM because Gov. hadn't used TM product before. I didn't want to take the risk of losing my job. I wanted to play it safe."
The problems of meeting the Government's compliance
1. Hard to differentiate the critical TI
The U.S. government established a community, sharing comprehensive TI related to the U.S., while the sharing wouldn't depend on the members' environment, which makes it difficult to differentiate the ones critical to themselves.
“Email usually contains general information and will not send letters for different environments. Sometimes they send too many letters to me, and I can’t tell which one is important”
“A lot of times I do not use the products they mentioned, so I'll just delete them. Like here, we don't use FortiNAC, but here's something about FortiNAC having some problems, so I'll delete this one.”
2. Concern of product reputation (for Trend Micro)
For government CISO, the investment of the security tools would be chosen from popular brands that had been used before, which means having a good reputation, to ensure the decision will not cause any problems. Therefore it's hard for a new company to play in the field.
Use Case 2.
Report to C-Suite
Explain and then Convince the Top Executive Manager
1. Explain security events/news that occur outside
The C-Suite will be concerned about cybersecurity issues, especially when they notice something happening outside, but most of them don't understand the situation and need further explanation.
"When they(C-suites) saw something (cyber events) on the news, they would ask. For example, will we be ransomed by that ransomware? Where does the ransomware come from?"
TI is typically conveyed through general CISO reports
-
Only Strategic / Operational will be conveyed.
-
Covers security improvements and security events.
The information C-Suite needs to know:
-
How good is our security posture?
-
What is the threat? Would it impact us? How’s the impact? What is the plan?
2. Convince to adjust security policies or investments.
Some critical security investments require significant human resources and funding, making it easier to convince executives with a higher security mindset because they know their importance.
"There is often a conflict between operations and security, but everyone reports to the CIO at the same level. Operations may doubt why they need to assist in security. If the C-Suite is more knowledgeable about how to use ransomware news to their advantage, we're more likely to succeed."
The problems of Report to C-Suite
Hard to convert the TI terminology into vernacular communication.
Most of the superiors do not understand the technical terminology of information security and need to convert it into very vernacular communication. Therefore it often takes a long time to explain, or decrease the possibility of investing more in critical security solutions.
Use Case 3.
Monitor & Discuss with SOC Team
SOC team digests TI both
proactively and automatically via different types.
Proactively digest Strategical/ Operational TI through blogs, podcast
Both CISO and SOC team members will proactively absorb new TI via blogs, and podcasts related to cyber security. So that they can keep up to date on the security issues, and prepare in advance.
"Most of the threat intelligence is directly sent to the CISO through emails (e.g., SolarWinds event)"
Venders: SANS / DarkReading
"They(SOC) listen to podcasts like the SANS Internet Storm Center, which gives the latest 24-hour updates on things that happened in the cyber world. It's 15-minute news, so I listened to that when going to work. This morning when I was driving in, they mentioned another password manager security issue, LastPass issues, that have gone around."
Automatically fed Tactical/ Technical TI into security platforms to enrich the detection & response process
The code format threat intelligence, such as Tactical and Technical TI, will be directly sent to the security platform, to enrich the detection system.
"One of the engineers at Trend Micro helped to write a PHP script that converts the feeds and imports it into Vision One(Trend Micro's product). It retrieves data every Friday, grabs a new block list & removes the old one. When we have our machines going out and talking to IP addresses which are potentially C&C servers, it'll block any connections and alert us."
"We started doing actual threat Intel with "Insights" which was acquired by "Rapid 7".
I had all the feeds sent to Rapid7."
Prioritize: Only the TI related to us matters!
“Criticality” and “Scope” of impact assets are the key factors.
To prioritize the Threat Intelligence, they usually consider the criticality and the scope of the asset, to determine the impact scope of the TI.
For example, if all members of the company use Mac as a work tool, then the scope is large, then Mac-related TI will be a high priority.
"I would like to have the TI integrate with assets inventory to see the impact scope... The information can improve their risk management."
"We usually key in the tool we use for searching, business product. If the bulletin of the newsletter was about a tool that we use in-house, we would look to see if we had availability in that piece of software and we would patch."
The "Communication" system must never go down.
The communication tools, such as Teams, Slack, Email, and so on will be a high priority to handle, because damage to these tools will significantly affect the recovering process.
"If it will impact our communicate system like email/teams. You cannot solve problems because you cannot connect with others."
The problems of Monitor & Discuss with SOC Team
Too much “irrelevant” information among a bunch of TI materials
The data provided by public TIs (such as US-CERT) used mainly by businesses and government agencies in the United States have no filtering system, making it difficult to extract the real key information.
"If the intel is not tailored to your environment, they may not provide substantial help."
"I feel like I cannot get any more value from the open and public feeds.
So I had all the feeds sent to Rapid7. I set a profile for our company and our profile says we're manufacturing, so of anything that comes in related to health care, it’ll filter that out.
So, I have predefined a company profile if you will identify things that are of interest versus irrelevant things."
Summary
The Problems of TI Usage by CISOs
Use case 1: Ensure to Meet Gov. Compliance
1. Hard to differentiate the critical TI
2. Concern of product reputation (for Trend Micro)
Use case 2: Report to C-Suite
3. Hard to convert the TI terminology into vernacular communication.
Use case 3: Monitor and Discuss with SOC team
4. Too much “irrelevant” information among a bunch of TI materials
Business Strategy
Target Audience, Value Proposition, Key Feature
Target Audience:
Government Institute
Build our brand reputation for government organizations or companies that need to meet government requirements and compliance. Therefore prioritize Trend Micro products.
Insight
Gov. has enough resources and the community can apply and empower the TI solution
-
Governments and VLEs have more resources to build mature security teams
-
Due to the inspection system, CIOs and CISOs have a conservative attitude toward investing in information security products.
-
The government has a complete TI-sharing community system.
-
All government agencies are included in the above-shared system.
Key Feature1
Support government TI, and Report System
All the government institutes in the U.S. need to follow the rules of gov.
Therefore it would be very convenient if the TI from gov. could be well organized and generated into a needed report automatically.
.jpg)
Value Proposition:
Defining the impact of TI
Serve as a TI manage platform to help users import and organize threat intelligence from different sources, and filter information by their “ tools in use/ industry ”.
Insight
Filtering out the relevant and prioritizing the critical TI is a must.
-
Too much irrelevant information among a bunch of TI materials.
-
Only external threats are not valuable enough for the enterprise to take further action.
-
User search “Tools used in their environment ” or “keywords related to their industry” as their first step.
-
The “criticality” and “scope” of impact assets are the key factors that CISOs and their SOC team consider when prioritizing threat intel and planning action.
Our Advantages
External Threat * Internal Security Posture
The beauty of Trend Micro is that it provides complete risk visibility to assist customers in assessing the potential impact of threats on their environment. Especially by clarifying the relationship between the threat(TI) and their asset.
Such as, Recorded Future, they tracks nearly 600 million domains, scan billions of posts, and other DNS record. Then, match them with customer’s assets to provide a list of risky “internet facing assets” that help customers to address the risk and take action.
Referred by Recorded Future
Key Feature 2
Generate Vernacular Security Reports
Help clients conduct strategic/operational TI that is easy to understand so that it can be explained in reports to the top executive manager.
Covers below:
-
What’s the threat?
-
What’s the impact?
-
What’s the reaction plan?
Insight
Needs to communicate with C-Suite by vernacular report
-
Strategic / Operational TI is typically communicated through general CISO reports.
-
Top management doesn’t understand most internet and cyber terminology.
Integrate with generative AI tools, such as GPT.
Recorded Future AI 2023. 4. 11.
It is said to be the first threat Intel platform powered by artificial intelligence. Open AI GPT is used as an analysis and report generation engine to leverage threat intelligence from Intelligence Cloud and Insikt Group.
Project Outcome
The value proposition we proposed,
"Define the Impact of TI,"
has been officially adopted and released.
Personal Reflection
Develop specific strategies
for selling to government agencies.
In this study, we interviewed top-level cybersecurity executives about their thoughts and actions regarding threat intelligence, gaining highly valuable insights.
However, I believe it is somewhat unfortunate that, although we suggested defining "government agencies" as the primary target group, as the research results indicate, government agencies are also the most challenging to adopt new products or brands.
Interestingly, the U.S. government uses some of our other products. Therefore, if given another opportunity, I would like to explore the sales and marketing strategies used for those products to develop more concrete action plans.