Posted September 8, 2016
By now, those of us in the cyber security industry are quite familiar with threat intelligence and its role in proactive enterprise security, but there are still many organizations that are still new to figuring out how to truly operationalize threat intelligence.
I recently participated in a webinar with ESG analyst Jon Oltsik, where we discussed how to operationalize threat intelligence. Jon and I shared use cases, key insights, and case studies from recent ESG research.
One of the biggest problems we see organizations having with new threat intelligence programs is that they base their programs in a myriad of threat feeds and technologies from assorted vendors. This can lead to disorganized intelligence, the opposite of what we want. The other challenge we see is organizations struggling with how to integrate threat intelligence into their existing security processes and products in which they’ve already invested.
So how do we combat this problem? Here are four key ways for organizations to operationalize threat intelligence:
- Quality over quantity: What is the point of having thousands of streams of data if they a) don’t apply to your business/industry, b) you don’t have the staff or bandwidth to sift through all of the intelligence, and c) the intelligence is out-of-date or too generic? Organizations need to improve the quality of their threat intelligence and focus on timely, high-fidelity, and relevant information.
- Consolidation: Organizations, both large and small, should centralize their threat intelligence and keep it on a single threat intelligence platform where it can be enriched and correlated. This should ultimately help those organizations that have many different groups consuming and analyzing the intelligence, as well as assist analysts with threat detection, forensic investigation, and prioritization.
- Integration: Once threat intelligence is centralized, it must be shareable with an array of security analytics systems, people, processes, and technical controls to compare external threats with internal network activities. Only after the threat intelligence is distilled down to the relevant pieces of actionable intelligence is it able to be operationalized.
- Put it in action: You want a solution that can put relevant threat intelligence into action. This could range from creating a firewall rule or using DNS intelligence to block external communication when it detects a malicious command-and-control (C2) server, to assisting incident response professionals with identification of internal assets that have communicated with external known bad locations, or alerting an organization to a new set of compromised credentials associated with their employees that just showed up in a breach package on the dark web.
Operationalizing threat intelligence depends on tightly integrated security technologies and coordinated organizational processes. Just having a bunch of feeds that spit out data is not enough. The benefits of threat intelligence will come once you have an efficient and effective program.