Threat Intelligence Blog

Posted August 8, 2014

A few days ago, we told you about a recent webinar on Defining Threat Intelligence, hosted by our own Eric Olson, Vice President of Product Strategy. Today we’re going to recap Part II of that webinar, Concrete Steps to Deploying a Threat Intelligence Capability.

  1. Recap of Part 1: Defining Threat Intelligence

Start with a clearly defined mission or business objective. It’s difficult to get into actionable steps without having these questions defined.


  1. Defining Business Objectives

This is the foundation of whatever you’re trying to build—the business objective that your intelligence capability is being prepared to meet. Most people are in the planning phase, so this is very applicable. It’s also important to have someone who can “speak executive” so the business goals are clear to management. Security and management are different languages—so therefore security needs must be translated into a language executives understand.


  1. Translating Objectives into Activities and Needs

The objective is not the activity, but it does dictate the activity. Once you have a clear objective, it will dictate and bound the activities that your team of threat analysts performs and the skills they will need. When organizations task a group with threat intelligence, that group needs a clear mission.


Most objectives don’t increase revenue. Threat intelligence doesn’t contribute to top-line growth, but it can contribute to margins. Here are some other business objectives a threat intelligence team might be called on to support.


If the goal is to prevent the loss of sensitive data, here are some activities and intelligence that might be used.


  1. Reporting

Reporting of metrics and meaningful reporting are two different things. Metrics are subject to fluctuation that we have no control over and can be deceptive, but are not the heart of effective reporting.


  1. Implementation

Every implementation is specific to the organization, but there are some common landmines:

1)      Do you have a system capable of storing, analyzing, or otherwise making actionable use of the various types of data and intelligence?

2)      Is there a lingua franca? When you have several different feeds coming in, is the data normalized?

3)      Knowing how to build a threat center and knowing how to operate it are two different things.

4)      Have a checklist—procedures need to be in place so people know how to react to different scenarios.


In choosing the right implementation model, the following framework can be useful:


  1. Budget Planning

Budget planning should come back to what business objectives you have. Here are four key considerations to keep in mind:



To learn more about getting your threat center off the ground, watch the entire webinar here, and stay tuned to our BrightTALK page for more great cyber security tips.

Additional Posts

Where there are Breaches, there are Infections

Community Health Systems (CHS) recently announced their network of 206 Hospitals was hacked ...

A Difficult New DNS DDoS Attack

More and more DNS administrators know that attackers can use reflection or request open recursive ...