Engineering and Staffing a Bleeding Edge Threat Response Program


Automating the Boring, Invigorate the Bored: Engineering and Staffing: Detect ‘19 Series

After you have watched this Webinar, please feel free to contact us with any questions you may have at


ANDREW PENSE: All right, good morning.

My name is Andrew Pense.

I work at Horizon Blue Cross Blue Shield of New Jersey.

I'm somewhat of a hybrid analyst.

I do a lot of SOC work.

We're actually centered in the SOC, but I've inherited some threat intel responsibilities over the years.

And when there was a call for talks, it got me thinking about why we were having so much trouble maintaining threat intel staff and why they were having so many challenges communicating with management, showing their effectiveness, showing their value.

And I saw a lot of turnover, a lot of people getting burnt out, frustrated having been a Senior Statesman among analysts with Horizon about seven years.

And then, I came from a background in law enforcement prior to that.

So I got pretty good about reading people and understanding their concerns.

So I felt like a lot of times, I had to hang a psychologist shingle outside my desk rather than a SOC analyst through malware, reverse engineer, any of that.

So it got me thinking.

We have all these tools.

It's great tools.

It's great technologies.

It's great information.

But our people are where our choke points are at this point.

This has been my experience, my particular organization.

I suspect you're probably seeing a lot of the same things in yours.

So I thought we'd take some time today.

It's going to be fairly low on the technology scale.

The last gentleman, if you were here, probably made your brain hurt.

My brain still hurting a little bit trying to keep up with him.

I promise you this is a perfect pre-lunch talk, not a lot of tech.

It's fairly human-centric.

So I talked about my bio briefly.

I tried to minimize that because it's not particularly interesting.

I do a little bit of everything.

When I came into Horizon, Cybersecurity was like four or five people.

We're now in the mid 40s.

So the nice thing about that is I've been able to wear a lot of different hats.

And it's an honor that a lot of people in my organization consider me a subject matter expert in a lot of these different things.

And the reason it's an honor is because when I stepped foot in the door, I just spent 14 years in uniform.

I really had no idea what I was doing.

They brought me in mostly as a C-CERT guy because I had the technical knowledge.

I was doing computer forensics for the last few years of my law enforcement career.

But besides that, I didn't have much.

I was interested as a very amateurish hacker guy on my own home machines.

And then, I was just really good at encasing, FTK.

But because, at the time, my leadership was really strong in the sense that, the way I got into the threat intel lane within my organization was, my CSO came to me and said, what do you know about STIX-TAXII feeds?

And I said absolutely nothing.

I have no idea.

Never even heard of them.

And he was a great leader.

He said, OK.

Well, you're now the subject matter expert, after I just expressed to him that I knew nothing about it.

And the reason that's a great model is because he not only didn't shame me for not knowing the space, he encouraged me not just to get up to speed, but become a leader in the space.

So I'm hoping if we can take that model back to some of our folks, if it helps one or two threat analysts out there or their bosses keep their people motivated and happy and excited about coming into work, then we're all better off.

What do I do from non-academic stuff?

I'm a musician.

I was a drummer by trade for 20 years.

Two babies enter the picture.

Can't play drums in the house anymore.

Started to learn piano, guitar.

The reason I bring that up is, I tend to be autodidactic learner, hands-on.

I could listen to lectures all day and walk away with nothing.

But give me the tool and I'm off to the races.

And I adopted a similar model for technical problems.

And I guess it's both a failure and also a great thing that I'm insatiably curious.

You talk a lot to a lot of cyberprofessionals, and they're really well-versed in one particular lane.

You ask them about something else, and they don't know much about it, which is fine.

But I'm always wondering, why are they not more curious about it?

So rather than focus on my achievements or what I've been able to overcome as far as deficiencies in a quick amount of time is maybe we should be considering our weaknesses and our folks' weaknesses as a strength.

They're learning opportunities.

I have a lot of clip art in here.

When a CSO said tells a VP, hey, we've got a threat intel program that we're standing up.

A lot of times, this is probably what they're thinking.

A lot wrong in this picture quantitatively, of course.

You're never get funding for that many people right off the bat.

And also, there's a few people smiling.

So right away, not a good representation of what a threat intel program looks like.

What does it feel like when you're sitting in the chair?

A little bit more like this.

I have no idea what I'm doing.

I'm hopeless.

But the good news is I'm the subject matter expert in this hopelessness.

I know we're going up against, promised to get you out of here in time for chow.

Where do we get our analysts?

Do we want full-time employees versus contractors?

I would argue for full time employees.

They tend to be more invested in their career.

Contractors are always worried about what's going to happen in six months.

What are we going to look like in a year?

However, I understand the market.

It's tough to get good people.

So if a contractor is the right fit, then that's great.

At Horizon, we do a lot of provider fraud.

I move into that space from time to time, but we've recovered millions of dollars a year in provider fraud, which basically means if you're not in the health care vertical, absurd example is doctors giving nose jobs, but he's charging for heart transplants.

They monitor these things over time and then eventually, take either legal action or a settlement.

My point here being that maybe your next threat analyst isn't in the cybersecurity space at all right now.

Maybe they're already in your building and they're performing functions like fraud analysts, your engineers, automaters, people that are really good at seeing a problem and knowing an automated way to code.

So in my opinion, they don't have to have that CISSP.

They don't have to have that strong networking background if you think they have a good natural instinct for investigating or assessing a threat, then the other stuff can come easy.

You can get them trained in the specialized areas.

So don't be afraid to think outside of the cyber box.

I'd like to think of the life of a threat analyst in three big Phases, assuming you're building program or maybe you're just having some new threat analysts come up.

You started off small.

Crawl before you walk.

You won't be doing any TI while you're crawling.

But as you start to walk, this can be a very almost pedantic pedestrian function.

And we've had these.

We've had analysts come in.

They were assigned to concentrate on our threat intel.

And literally, all they would do is read emails all day from Memphis ISAC, NE ISAC, the other ISACs.

NJ Kick is when we have New Jersey.

And literally read those one by one, identify any observables that they thought might be pertinent to the environment or targeted our specific vertical and pass them on to more senior management.

It gets laughed at a lot or minimized like, all that person is doing is reading emails.

True, but behind the scenes, what they're doing is they're getting a sense of threat.

What the threat actually feels like, looks like.

They see the same campaigns over and over again.

Tapping on my law enforcement career for a second, they start to get a sense of the streets.

There's a reason that, when you send a police officer to a certain district over and over and over again, as boring as they may find it, they can very quickly identify when something's out of place.

This just doesn't feel right.

The metaphor they use, a lot of the hairs on your arms go up.

But that's Phase 1.

I'm not saying analysts should start here, but they should at least spend some time in this space, the very non-automated, manual process of reading threats.

And it will also help them flesh out, are they interested in the space at all?

They might be reading emails for six months and go, this just isn't my bag.

So you're vetting out the people that are not a good match.

You can place them in other positions within your cybersecurity architecture.

So it boosts their confidence.

And they get, I believe, in exponential growth in cyber wisdom because they're looking at all types of threats.

Can't understand and respond to threat Intel without knowing a little bit about malware , without knowing a little bit about networking, email.

The old joke, the weakest component is the person between the keyboard and the chair.

So it's growing their confidence.

And it's also, I'm using a metaphor here, is right now they're just a dumb waiter.

They're seeing incidents.

They're tossing something to the side.

And a few, they're escalating to whoever they escalate to, whether it's a security operation center, their manager, whoever it might be.

So they're just not giving you a lot of context.

They're just saying, hey, I saw this.

I think you should know about it, which is fine for Phase 1.

That's all we're asking for out of Phase 1.

So I believe the critical part of Phase one is mentoring.

If they're just keep sending this stuff up and they're not getting feedback, or you have that one salty senior SOC Analyst who goes, we already blocked that six months ago.

Or we blocked that whole geolocation.

Like the schadenfreude, throwing shade at them that they don't know that.

That's the only way they learn and it thickens their skin a little bit.

And it also lets them understand a little bit of the political architecture that they're working within.

So those can be tough times for the more junior, new threat analysts, but it's important to have that mentor relationship.

And hopefully, even if that mentor-mentee relationship starts off a little rocky, they find that happy place.

And I believe both individuals are better for it.

So now, hopefully, my animation shall.

There we go.

So now, in dog years, your mid 20s, early 30s.

Right now, you're a strong Phase 2 threat analyst.

And you're getting better and better about identifying those indicators that are particular threats to your organization, and how quickly you can process them.

And you're also sending less and less low-fidelity or less relevant indicator up the chain, and you're recognizing the ones that do need to be escalated a lot faster.

We spoke about this a little bit.

They start to recognize attack patterns as they relate to target, geolocation.

They're starting to know their hacker groups.

There's a million different terms, acronyms that they need to learn.

That's where they are at Phase 2.

You're not going to throw an acronym at them that they don't know.

They're getting much more comfortable at it.

At this point, they've probably decided whether this space is for them or not.

So now, we're talking about getting rebuffed several times for low-value tickets, but they're growing out of that.

They're getting better at it, or they're at least getting better at navigating those relationships with internal contacts within your team.

Senior members here, whether your senior member is your direct manager, your CSO, or maybe it's just a peer in the Threat Analysis group or if your security operations center runs the show, they have a big responsibility too.

Because those junior to mid-level threat analysts are probably going to end up in a stronger role within the organization, whether it's in the security operations center.

They might be the C-CERT in six months or a year.

So they have the responsibility to, even if they're not their direct manager, kind of motivate them, understand where their weaknesses are, and help them with them, and also encourage them to start to specialize.

So on our next slide, I'll talk a little bit about how that specialization works.

Nobody can look at threat intel all day and not get a little bored, or go through their threat intel tool without getting a little bit bored.

But they start to find things that really excite them.

We see, similar to the last presentation, a campaign can really be broken down, and once you start understanding these on a granular level, these analysts are saying, wow.

I'm really interested in this malware reversing or insider threat.

I tend to do lot of insider threat, just based on my background and where I sit.

Maybe they really like networking.

Maybe cyber security's not for them, but they really like a different part of IT-- networking, outages, business outages, that kind of thing, and handling those events.

So it can be a springboard to pretty much anything.

And hopefully, they stay in your organization.

So even if you lose them down the road as a threat analyst, you now have someone with a great cyber-minded background in your organization.

So we talked about mentoring.

The important thing here is, and I kind of built this talk around the frustrations I was seeing in my own organization, there wasn't a real clear path.

You come in for an interview and you maybe have a CISSP, and you did some SOC work.

And we say, well, the position we have open is for threat analyst, and we put you in the chair.

And then we didn't really make it clear to you what your path could be, what it could look like.

That's the biggest challenge.

It's definitely a challenge in our organization.

We're getting better at it, but we have miles to go as far as where we can go.

So the important part there is the encouragement part.

Specialization, too.

So what you'll notice as we go from phase 2 to phase 3, the threat analyst, or the threat intel team as a whole, is now morphing into something more than just threat intel.

At this point, they may not be escalating tickets to you at all, or at a very minimal basis, or only when it's at a CSIRT critical level.

The reason that's happening is because now, this team feels more comfortable.

They've been looking at this stuff for a long time.

They recognize when it's just space junk.

And now you've also started to train them in specialized areas.

So the good news here is it lowers your SOC volume and people are getting more comfortable.

And finally, I kind of alluded to this is in last slide.

Instead of that dumbwaiter, you've got really targeted escalations.

Fast, much smaller, and getting to where they need to go, whether it's adjusting a critical control, escalation to a SOC, getting much more targeted, much faster, much more intelligent.

So the reason we approach this problem is we were seeing a lot of this right-- burnout.

These threat analysts are tired of doing the same thing every day, or maybe they're tired of getting rebuffed by someone who's more technically knowledgeable than them, and they get burnt out.

So how do we avoid that burnout?

This would be my proposal.


Say, OK.

I've noticed you've been here, whatever, a year, year and a half, and you're enjoying the threat intel space, but it's getting a little bit mundane for you.

But you have a real keen interest in malware.

Send them to a SANS class.

Send them to an IC Squared class, something that really may be outside of the threat intel lane, but it's something they're very interested in.

And the old joke is, and I think you'll see it on another slide, why train someone, and they're just going to get better and better, and well-rounded, and have a great resume, and then they leave?

We have that problem with such high turnover in cyber security.

And it's an old saying, but I think it holds true.

What if you don't train them, and they stay?

So you have that same threat analyst that is just looking at indicators for years and years.

One of two things is going to happen.

They're going to leave or something's going to get missed, because you can't just keep doing the same job over and over again without being excited about at least one subsection of that job you're doing.

What I thought was interesting-- and this is not specific to Horizon, and I think this is an HR problem in general-- I experienced this myself.

When I left law enforcement, I was single.

Retired with a back injury.

Within a year, I thought I was going to get a part-time job at Home Depot or something.

I had a couple other colleagues who were injured, but nice little pension, enough to pay the bills.

So they would just get a mundane job, something that put a little extra spending money in their pocket.

A year later, I'm at Horizon, about to be married with a baby on the way.

So I had the motivation built in.

I didn't need to be super excited about threat intelligence, I had to be.

So I started taking on more and more-- policy and program integrity, the threat intelligence, the SOC piece of it, the CSIRT piece of it.

What is the reward that we give to our people?

So if this as your worker population, and this is scalable.

So you might have three people that make up your whole cyber program, or you might have 300.

But the top 10% of those people-- how do we reward them for doing an excellent job over, and over, and over, and being passionate?

Yell it out if you have a thought.

What do those people get?

Do they get the raise, and the promotion, and the title right away, and the corner office?


They get more work.

That's your top 10%.

The rest of your folks-- and then, of course, you have your bottom 10%.

Going back to that contractor versus full-time employee model, we spend so little time on vetting and interviewing, and we have to.

We have to fill a position or it might go away.

We might lose funding.

So we really don't get a lot of time to spend with people.

So sometimes, within the first few weeks, you say, oh, this may not have been our best hire ever-- right?

Those are kind of your bottom 10%.

Not that they're bad people, it's just that for whatever reason, they're not excelling.

So those are two extremes.

You got your top 10%, your bottom 10%, and the rest-- I skipped the middle, but the rest are kind of just your average Joe, cleanup hitter kind of guys, solid performers, and are fairly happy.

But what I find is quite interesting.

That top 10% is going to keep doing more work.

They're going to keep getting better.

And they're going to be more and more involved and passionate.

They've run up against all the political things that they have to navigate.

They've gone through several classes.

They're getting highly specialized.

And the way we reward them is, you did such a great job on that.

Hey, what do you know about a [INAUDIBLE] feed, right?

So that's great, but it only lasts for so long.

If the only thing that they're getting as a reward for being that top 10% is more work, then common sense would say, oh, they're going to start to slide down into that big yellow bucket.

But studies have shown that that's not actually what happens.

What they do is, going back to my elevator metaphor, they take that elevator immediately down to that red section.

It's the old office cliche.

I can't take it anymore, whether it's friction with a particular manager or a process.

They kind of shoot right down there to the red.

And it's tough to get somebody in the red back up even to the yellow.

So that's what we're going to avoid-- the burnout.

How we doing on time?

So how does burnout work?

Sometimes, it's obvious, like this gentleman is not having a good day.

And that goes back to that mentor relationship.

Somebody on his team should have recognized, or at least heard-- and this is, I believe, based on a skit, so I'm not emoting with this particular gentleman.

But something was missed.

Something was boiling up inside him or her for a long time.

That's one risk, or the one way burnout will manifest itself.

And the other one, more nefarious, is the opposite.

People don't change.

They don't change the way they act.

They don't change their throughput.

But their soul has left the building.

Their body is there, but their mind and soul has left the building.

And you may not notice.

If you're just walking by this office every day, oh, there's Charlie.

He's hard at work as usual.

AUDIENCE: Wouldn't their throughput just gets slower, and slower, and slower.

AUDIENCE: It's missed and you don't see it.

You get stagnation.

So if anyone here is in a managerial role directly over a threat analyst, it might be easy to become frustrated with them.

It's a baseball metaphor.

Baseball, you only have to hit one in three.

I'm not a sports guy, so I'm going to mangle this.

But if you get one hit every three in bats, you're doing really well.

Threat intel people really have to be like 9 out of 10 or even higher, right?

You're going to miss indicators.

You're going to miss campaigns.

And some of them could cost you.

Some could make you just look bad, and in the worst-case scenario, a breach or a compromise.

So before you have these one-on-one mentoring relationships, meetings, performance evaluations with everybody, I believe everybody just has so much disdain for performance evaluation because usually, the person sitting in front of you, a lot of times has no idea what you do eight hours out of the day.

Maybe they see something on a PowerPoint slide.

This is just a reminder of what we're asking threat intel to do.

It's not just looking at indicators.

There's a lot of inner working parts, and they have to kind of be responsible for all of them, especially as they escalate up those phases.

So we've talked about escalation to the SOC.

So I believe that [INAUDIBLE] scaling up of the mentor relationship.

You have to have a threat intel program that is closely married with incident response, whether that's larger IT infrastructure, break fix type stuff, or security-specific stuff.

So these efforts have to be coalesced.

And as we saw before, this may be a natural evolution.

Your threat intel program may become your de facto SOC or your de facto CSIRT.

So these two teams work together and they fuse together.

Now, even the SOC is kicking down some threat intel based on tools.

If you're looking at something like a manage information sharing platform, you say, hey, it's great you just collected in Russia, but our AV tool, it keeps spitting out the same hash, or the same executable that's associated with [INAUDIBLE] or a particular campaign.

So now you have a bi-directional traffic flow.

And hopefully, that's facilitated by those good relationships that you built with the mentor-mentee relationship.

And this reduces latency.

Our big thing in the CSIRT or CERT world is truncate that, detect, and contain time, right?

So a good marriage of threat intel and IR is going to speed that up.

The balance is the tricky part.

You have to have a good balance of threat intel and incident response.

And this can be tough, because it could all be one person.

It could be two teams of 300 people that are working in disparate locations.

This can be tough.

So this would be my visual example of, you have too much threat intelligence, but not enough people, or not enough functionality, or automation to get it there.

Beautiful, big, powerful truck, but not going to get through an off-road course.

So all brains, no rubber where it meets the road.

Opposite-- you have great IR.

They're ready to go at a moment's notice.

You have a 24 by 7 MSSP that will call you with anything, any anomalies.

But you don't have enough threat intel behind that to really make it an effective incident response.


I throw this in here to demonstrate one of the ways you can incentivize threat analysts.

Network building, trusted circles.

So hopefully, you're using a threat intel platform.

We're a ThreatStream customer.

That's our main tool.

And my effort has been, and will continue to be, OK, we're getting really good at consuming them, recognizing the ones that are important for our organization.

But I need to start sharing back.

I need to start being a good community partner.

And the reason that I believe the threat intel analysts benefit from this is their networking.

Unfortunately, from an HR perspective, it might mean you lose them down the line because they establish good relationships.

For those not familiar, we're Horizon Blue Cross Blue Shield of New Jersey.

A lot of you probably have insurance through your state's Blue program, the associations in all 50 states.

But there's a lot of networking that goes on.

So building those trusted circles within your particular larger organization is important, and then across the vertical.

So we're also in not a Discord server, but We Secrets.

It's a chat room for anybody in any threat or SOC person in the health care vertical.

So that's where you got to be kind of careful of this collaboration and establishment of trusted circles because a lot of people you're talking to, although you have the same mission goal, they're competition.

So you have to be careful what you disclose.

If you're detonating malware and sharing those indicators with the rest of the world, you want to think about your attribution.

Do you want to make this non-attributable?

So you're just saying, I'm not telling you we got hit with this, but be on the lookout for that.

So that requires a lot of tuning.

And who knows better those spaces is those phase 3 threat analysts that have been in this space for a while and can really say what's public knowledge ready.

We don't want to give away any secrets.

So I think we spoke about that.

Don't expose your gaps to competition, but at the same time, being a good community partner.

And worse than not sharing back threat intel is sharing back not really useful threat intel.

A lot of stuff is automated.

A lot of this stuff is performed by junior analysts.

So you're going to get some junk in there.

We had a young lady who was a threat analyst, and she was definitely a phase our whole program was in phase 1 and she was reading all those emails.

And somebody had put an IP address as part of a campaign.

She saw it.

She saw that activity in our firewall, and said, it's an escalation.

Dangerous IOC, and it's landed here at home.

I'm going to send this over to the SOC.

Well, bad news was it was an internal IP address.

And we were very early in the maturity phase of this whole bifurcation.

We were growing at an exponential pace.

Remember, I mentioned we went from 5 to 40 in like two and a half years.

So at that point, threat intel analysts were allowed to just send whatever they wanted over to engineering.

Hey, block this IP.

Well, you block an internal IP, depending on what it is, things are going to break.

But it goes back to that mentor relationship.

As they get comfortable with creating their own tickets, first, you have to make a decision, as a team leader, do you want them to?

And you have to observe them for a while, too.

But it's going to empower them.

Once there's a certain feeling of accomplishment when they say, I saw a threat, didn't need to consult with anybody, and introduced a compensating control that hopefully protects my organization.

So training.

Best way to motivate anyone, especially in the cyber security space, where it's more important kind of what certs you've had rather than where you went to college.

It's all a cert game, so let's train them.

We talked about this.

You want to train them and hopefully, they stay.

And if they don't, not a big loss.

You have those training dollars, and now you know how to better allocate them.

As they get specialized, so as they become these malware specialists, or maybe they love the networking side, or maybe they're nation-state people who know all about what China's up to, or what North Korea's up to, or where they like to proxy off of and all that, what are some of things we could train these people in?

They're hopefully phase 3 threat intel analysts at this point.

So again, understanding the employees' needs.

What are they interested in?

Are they good coders?

Are they bad coders?

Would some Python might help them out, or one of the other scripted interpreted languages?

You get them a threat intel-specific certification if you wanted.

There's not a lot out there that I'm aware of, but everybody loves a good SANS cert, or maybe if they're getting interested in the attacker space, even the CEH, Security Plus, whatever they might need.

So I know this is four phases, but this is kind of that phase 1 through 3.

Hopefully, the mind map.

You start just reading emails.

This is where your TIP, or in our case, ThreatStream-- where your tool comes in.

You want to start automating the consumption of those feeds.

And now you're combining the automation, so you're taking those ingested indicators and maybe automatically opening up a service desk ticket.

And then at the end, hopefully you have end-to-end IOC response where the analyst is kind of out of all the busy work, and all they're doing is essentially threat hunting.

So they see a threat land, and now they say, OK.

That came, so what can I predict may come next?

Anybody else ever been involved in having to prepare a threat intel metrics deck for a CSO director, and it's essentially just looking at emails and grabbing screenshots?

It's the grade school equivalent of cutting out articles from the newspaper.

I doubt kids do that anymore because nobody gets the newspaper, but I can remember doing it.

So the idea of automation is, let's get away from this.

This might be interesting.

I'm going to put this on a PowerPoint slide.

And depending on your CSO's mood that day, he may say, oh, that's interesting, or he'd say, why do I care?

And hopefully, at this phase, if he or she asks, why do I care, you better have a good answer.

So the whole idea of automation, and where we've been able to use our TIP, our ThreatStream, to pretty good efficacy, is getting away from this and get automated.

So again, this is another graphical representation of you run and tell your CSO hey, we're fully automated with our threat intel ingestion, coalescence, collaboration, response.

It looks like this.

This is how awesome it is.

The tool's doing all these things.

They're delivering all the indicators where they need to be, checking for outcomes.

Everything's beautiful.

And the analysts can just sit back and wait for it to spit out.

Now, when you start automation, it's probably going to look a little bit more like this, just going back and forth.

Any PC gamers in the room, computer games?

Factorio-- great game.

If you have a mind like mine, you'll love it.

But that's where I grabbed these GIFs.

So not to tell you how to play the game, but basically, this train needs to be fueled, and it also needs to pick up those copper plates.

What's the right answer?

Well, move one of those what they call inserters.

So be careful when you go claiming that you're fully automated.

It's OK to make it a little sexy, but make sure that you're not overselling it.

So that's where your TIP-- or your Threat Intelligence Platform-- comes in.

It can scale the ability of that analyst to do their job exponentially.

So instead of having to read all those-- hopefully they're not reading those emails anymore.

Hopefully they're just looking at the output of a tool at this point.


Pardon me.

So what can you use?

And obviously, it's a ThreatStrem conference, so I'm a big fan.

There are other offerings out there.

You could go open source with Soltra, something like that.

So you might be listening to all this and say, hey, that's great.

But my cyber security shop is six people.

So you're telling me I got to send five of those into the threat intelligence world?


It's absolutely scalable.

You can do it with one person.

That person can even not be 100% dedicated.

Maybe they spend half her day doing threat intel and half their day doing SOC work.

Because the conundrum is, how many threat analysts do you need?

Well, let me ask you this.

How many do you have working on it today?

Might be varied answers in the room-- two, three.

You need that times 10.

You really need 30 people, but you're never going to get them, so that's where your TIP comes in.

That's where your tool comes in.

So how many do we need?

At least one.

I would recommend, even if they're going to be kind of cross-pollinating with the security operations center or CSIRT at some time, give them that leverage to be a full-time threat intel person, at least for a period of time.

So that's a question for you.

Does that one person or that handful of people need to be dedicated full-time?

I would argue that not necessarily, but the more dedication and the more space you can give them, the better.

Got a few minutes left.

I'll just talk real briefly about scaling.

And you'll see how these threat intel analysts will kind of blossom.

So at the beginning, you might have a CSIRT, a SOC in the middle, and you have, just for this demonstration's purpose, three threat intel analysts that are feeding information into them, escalated incidents.

And then as you move into like phase 2, they're starting to get specialized.

You might have one analyst that's really good at social engineering campaigns, recognizing them, down to the letter, knowing who might fall for this particular one, and maybe they'd suggest targeted communication awareness to a particular business unit.

You might have another threat analyst that's getting really good at malware researcher or dipping their toes in the vulnerability world.

And in my org, threat and vulnerability management are one team.

They have dedicated roles, but they're one conglomerate.

And then you might have that network specialist.

So you can kind of break up what IOCs you want to ingest based on that analyst's specialization.

The network guy might handle all the IP info.

The email person might say, I'll handle all the email senders, attachments, that kind of thing.

And then your malware guy or girl might concentrate on hashes, mutexes, filenames, things like that.

Some good training.

If you see your analyst start to fall into these specializations, just some of the training that you might want to send them to.

And you notice that it kind of flips on its head.

So now, as you get a well-staffed TI staff that is that phase 3, now they become the de facto SOC.

And they're kind of running the show.

They're making a lot of changes on their own.

They're responding to threats in real time.

And these other teams that they essentially kind of reported to earlier are now ancillary.

They're not reporting to them, but everything's becoming more equal.

And what's interesting in those four groups-- threat intel, security operations center, engineering, policy-- as far as it aligns with the framework, these are all detect functions.

So I would argue that the detect phase of the incident response is the most important.

And we spoke about this.

If you only have one person you can put in a TI role, maybe if you're rolling out a new TI program, that's absolutely fine.

Obviously, it's going to scale slower, but it can be done.

Just keep in mind, going back to that "A day in the life" slide, that now, they're the one.

They're the person.


Bring your tool in.

Get it tuned right, because then you can do a lot more with less people.

Lower that latency, detection time.

Less time for everybody.

You want to lower those detection times, you're going to need a lot better automation integration, machine learning, and this is where your tool comes in.

For example, instead of reading all those emails, wouldn't be great if you had a tool that digested all those emails, parsed out the indicators, looked in your environment-- through firewall logs, AV logs-- and said, did any of the indicators that were in this bulletin land here at home?

Well, your TIP-- in my case, it's ThreatStream-- can do just that.

So how long would it have taken me to read all those emails?

Probably at least an hour.

Now we have a Splunk integration.

It goes right in.

So they can start their triage J right there.

All right, guys.

Well, thank you so much for attending.

Enjoy lunch.

About Detect LIVE

We believe that threat intelligence holds the promise of allowing organizations to better manage risk and develop resilience. Detect LIVE, brought to you by Anomali, is a virtual event series that provides a platform for security executives, practitioners, and researchers to share insights and experiences related to threat visibility, detection, and response.