A few days ago, we told you about a recent webinar on Defining Threat Intelligence, hosted by our own Eric Olson, Vice President of Product Strategy. Today we’re going to recap Part II of that webinar, Concrete Steps to Deploying a Threat Intelligence Capability.
- Recap of Part 1: Defining Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations understand the risks common and severe external threats, used to inform decisions regarding the subject’s response. LookingGlass Cyber (n) - Actionable, relevant, and timely information that can help when assessing the security posture of an organization. A little more left. No no, that’s now too far...
Start with a clearly defined mission or business objective. It’s difficult to get into actionable steps without having these questions defined.
- Defining Business Objectives
This is the foundation of whatever you’re trying to build—the business objective that your intelligence capability is being prepared to meet. Most people are in the planning phase, so this is very applicable. It’s also important to have someone who can “speak executive” so the business goals are clear to management. Security and management are different languages—so therefore security needs must be translated into a language executives understand.
- Translating Objectives into Activities and Needs
The objective is not the activity, but it does dictate the activity. Once you have a clear objective, it will dictate and bound the activities that your team of threat analysts performs and the skills they will need. When organizations task a group with threat intelligence, that group needs a clear mission.
Most objectives don’t increase revenue. Threat intelligence doesn’t contribute to top-line growth, but it can contribute to margins. Here are some other business objectives a threat intelligence team might be called on to support.
If the goal is to prevent the loss of sensitive data, here are some activities and intelligence that might be used.
Reporting of metrics and meaningful reporting are two different things. Metrics are subject to fluctuation that we have no control over and can be deceptive, but are not the heart of effective reporting.
Every implementation is specific to the organization, but there are some common landmines:
1) Do you have a system capable of storing, analyzing, or otherwise making actionable use of the various types of data and intelligence?
2) Is there a lingua franca? When you have several different feeds coming in, is the data normalized?
3) Knowing how to build a threat center and knowing how to operate it are two different things.
4) Have a checklist—procedures need to be in place so people know how to react to different scenarios.
In choosing the right implementation model, the following framework can be useful:
- Budget Planning
Budget planning should come back to what business objectives you have. Here are four key considerations to keep in mind: