Eric Olson, Cyveillance’s Vice President of Product Strategy, recently hosted an online webinar on Defining Threat Intelligence and Why It Matters. Here are some of the highlights:
What Is and Is Not Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations understand the risks common and severe external threats, used to inform decisions regarding the subject’s response. LookingGlass Cyber (n) - Actionable, relevant, and timely information that can help when assessing the security posture of an organization. A little more left. No no, that’s now too far...
A lot of what’s being sold as threat intelligence isn’t—it’s simply data. Intelligence, on the other hand, is data that has been refined or processed. We believe that data is important and can be a precursor to intelligence, but the two are not synonymous. Many of the things being pitched as intelligence are actually data, which is an important distinction.
Start With the “Why”
Creating a threat intelligence center is a long term commitment that needs to be sustained. There are only six business reasons to justify the work, as seen here.
Before you buy (or don’t buy) one bit of data, organizations need to be able to be able to answer the following questions:
1) What is the business driver to buy or build “threat intel” capabilities?
2) Can you define a clear, and bounded, mission or set of responsibilities?
3) Can you quantify the problem, the risk, or the value of the solution?
4) How will you operationalize the information to support business goals?
5) How will you justify the ongoing expenditure or budget request?
If you can’t effectively answer these questions, stop!
Translating the “Why” into the “What”
Once you have your “why,” both feeds and intelligence can be powerful tools in enhancing the security of your data, your employees, your network, and your enterprise. Some objectives could be perimeter defense, vulnerability management, fraud reduction, or compliance. Once you’ve translated the “why” into the “what”, your needs are much clearer.
Operationalizing the Data
The “how” of this process is also an important step.
It’s important to know how you’re going to plug data in to your organization in order to make it usable. The above screenshot illustrates some examples of how this might be done.
Evaluate Your Options
The final step in this process, evaluating sources and vendors, is also critical. The following criteria can be useful when making a decision.
In conclusion, threat intelligence can only fulfill its purpose if you have addressed all of the key questions of “why,” what”, “how,” and “who.” If you’re interested in learning more about true threat intelligence, be sure to watch the entire webinar here, and stay tuned to our BrightTALK page for more great cyber security tips.