Posted September 5, 2017
In many respects, Threat Intelligence (TI) programs are still in their infancy, and security professionals are still struggling to put these programs together. To help security professionals, who strive to build successful TI programs, I recently held a webinar series, “Success Factors in Threat Intelligence” that described a comprehensive business technical approach to the justification, definition, design, and execution of TI programs.
Much talk in the security market revolves around the technical aspects of the latest threats and how targets have been affected by these threats, but what’s often left out of this narrative is a step-by-step guide to implementing you threat intelligence program.
We know that in order to have a mature security posture, we need a TI program that can leverage machine-readable threat intelligence, integrate it with a threat intelligence platform, and mitigate the threat; but how do you actually put this program together? This blog will review the necessary information needed for a successful TI program, going far beyond what can be found in the typical technical industry reports. I’ve also shared how to get the most out of your TI program.
First of all, as many experienced security practitioners know, if you don’t have clear objectives or goals in security strategy then it’s likely you will be lucky to achieve success. That’s where we will start…
In the first webinar, I cover what drives the requirements for a TI program, what are some of the requirements, and how to start structuring a business strategy (not just a technical strategy) to leverage threat intelligence in a security practitioner’s environment.
Watch Part 1 of the series to learn more about:
- Justifying programs based on
- Business risk
- Cost of threats
- Investment savings
- Revenue impact
- Defining a program that addresses the full threat intelligence lifecycle
- Focusing on relevant intelligence for self and third party protection
In the second webinar, I take a step towards defining a TI program framework that encompasses technical requirements, teams, roles, systems, processes and metrics around the TI program.
This framework lays out the overall structure of how teams and security professionals can start to use TI effectively. A key aspect of the framework is defining core elements that are common across many disparate environments.
Watch Part 2 of the series to learn more about:
- Leveraging a framework specific for your needs across
- Metrics & Reporting
- How to focus your TI program on maturity and impact across all entities
In the third webinar, I take a deep dive into each part of the framework and details to consider.
Watch Part 3 of the webinar to learn how to:
- Automate where you can
- Focus on efficiency of analyst/experts
- Use metrics and reporting to drive improvements
Finally, our series wraps up with specific demonstrations of elements of TI programs, including:
- A high-quality threat intelligence data feed
- Showing key elements coverage, categorization, confirmation, fuller context including both real-time and historical data
- A threat intelligence operations platform
- Showing key elements of targeted collection, multiple sources of intelligence processing and tiered review of analysis
- A threat intelligence analysis and threat scoring can be done
- Showing comprehensive customization and transparency of actionable intelligence
- A cyber attack surface assessment collection, correlation and reporting system
- Showing how organizational foot printing combined with assessment of cyber, credentials, phishing and vulnerabilities in an automated process can be leveraged
- A threat mitigation system leveraging automated threat intelligence
- Showing automation of large scale threat intelligence data while managing rule lifecycles to reduce impact on operational teams
In a nutshell
Threat Intelligence programs require focus on the requirements, framework, program details, and ultimately the metrics that measure their effectiveness. LookingGlass has 20+ years of significant experience in designing threat intelligence programs, as well as in supporting our customers TI programs.