Creating a Successful Threat Intelligence Program
Cyber threats are relentless and constantly evolving. Staying ahead requires advanced automation and a holistic threat intelligence program (TIP), which lead to a strategic advantage. There are three main pillars to help your organization advance up the maturity curve: people, process, and technology.
People: Identify stakeholders for reporting and feedback in mapping out a process that will effectively channel intelligence.
Process: Processes that take threat intelligence to a more strategic level must be developed and agreed upon cross-functionally.
Technology: The technology used should deliver on the processes outlined to ensure it supports organizational goals.
Climbing the Threat Intel Maturity Curve
While all organizations are at a unique level of development in their threat intelligence program, take general steps to determine where you are now and what is needed to evolve your program.
Threat Data Collection
Raw data collection is the beginning of any intelligence-gathering process. The relevancy of the data is critical, coming from external and internal sources, including open source and commercial threat intelligence feeds. External data may include reports on IoCs (e.g., ISACs, Dark Web, vendors, clients, etc.) relevant to organizational vulnerabilities. Internal data is just as necessary as it informs intelligence with business-specific threats. Even at the beginning stage of a program, feedback from internal teams that have experienced a security incident should inform threat intelligence feeds to ensure they are relevant to the business.
Threat Data Processing
Processing or curating the data of relevant threats based on the complete environment is the next stage of development. Even when using only the most relevant sources for incoming data, the volume can be overwhelming, and automation is essential. Security tools can save analysts time by automatically weeding through the data for information that is actionable. Based on the organization's threat experience, well-targeted criteria will optimize this curation, enabling the automation to filter out the noise and produce practical intelligence.
Threat Intelligence Integration
As threat intelligence is a shared resource essential to stakeholders in different business functions, integrating systems will enable more relevant reporting and a better flow of feedback to improve intelligence gathering. Having a solid configuration management database (CMDB) and vulnerability management program is fundamental to integrate systems and processes successfully. Forming a Digital Forensics Investigations team that runs intel feeds against the complete environment can add significantly to actionable cyber threat intelligence.
Once the integration is complete and your organization operates based on the latest threat intelligence, threats can be identified and blocked quickly. In addition to a faster response, insights into the capabilities of threat actors can be gained to thwart attacks at an earlier stage and before they enter the network.
Another advantage of comprehensive integration is the convergence of physical with logical security. A simple use case would be if someone badged into a facility and then got on the virtual private network (VPN). The system could raise a flag that an employee within the firewall should not need to access the VPN. The odd behavior could be due to a stolen badge or malicious cyber activity. Either way, it would trigger an alert.
Measuring Threat Intel Effectiveness
Measuring effectiveness is a pillar of a mature threat intelligence program. The two main types of metrics are the organization’s security posture and the team's efficacy in doing their job. The benefits of tracking these areas are better cybersecurity, greater resource productivity, the justification of current and future threat intelligence investments, and feedback for continual improvement.
The main focus for measuring effectiveness is to add value, so your organization can take action, not simply tally threats found. The process of tracking itself doesn’t matter more than what is being tracked. A baseline measurement should be set to compare against improvements, and the metrics that are tracked should be those your security team has direct control over. Specific measurements may include time to IoC response, the number of campaigns tracked, feed efficacy, etc.
Strategic Use of Intelligence
The ultimate test of a cyber threat intelligence maturity assessment is whether or not the program is being used strategically. On the cybersecurity front, this would include moving to the 'who and why' of threat actors from just the 'what,’ seeing trends in the threat landscape, and weighing the opportunity costs of taking action. On a business level, threat intelligence maturity can lead to collaboration across functional teams, company-wide involvement in technology investment, better risk management, and strategic planning. An effective threat intelligence program can even become a competitive advantage, assuring customers of their data security and protecting a company from devastating breaches.
Learn from industry expert Jimmie Owens, CISO and Vice President, Enterprise Security, at DXC Technology as he shares his insights and journey in cyber threat intelligence through various industries and organization types. Watch the webinar, Climbing the Threat Intelligence Maturity Curve today.
Topics:Cyber Threat Intelligence