5 Questions On Threat Intelligence

Add bookmark

Seth Adler

Remediation-based, orchestrated, automated and customized threat intelligence is the goal. Most organizations have a few steps to go before reaching that goal. Cyber Security executives have realized that raw data is not intelligence. The discipline is not called Threat Raw Data, it’s called Threat Intelligence. Global corporate enterprise cyber security executives must move past a collective present ‘feed-based’ mindset.

SIEM solutions have been improving, but at their base lack a response capability. SOAR solutions do answer the response missing in base SIEM solutions, but industry executives note that all solutions do not actualize the promise being offered by most SOAR providers.

Actionable Threat Intelligence

While automation might happen with the click of a button, the quality of the data going in will determine the quality of the data coming out. But that’s just the data. The talent needed to work with the data going in and coming out- along with the continual tweaking of the automation tool itself must be in-house. So while one of the promises of automation is to reduce cost, adding automation-focused talent is necessary in order to gain true threat intelligence for the enterprise.

In moving past the feed-based mindset, the context of the evidence-based data being offered must be known. Sharing insights within the community is of paramount importance. The assessment of the insights coming out of that data can become proven organizational knowledge. That knowledge needs to be orchestrated so that action-based response and ultimately remediation can occur.

Is It Actionable?

Assessing the actionable nature of a threat intelligence feed is necessary to ensure analysts are actually working on signal rather than noise. Examine what has been done based on information received over a multi-quarter time frame. If risk hasn’t been reduced, the value of that particular strain of threat intel must be debated.

Are you sharing it and has it been shared with you?

Gone are the days of shielding good intelligence that could be shared from being shared. The National Council of ISACs benefit myriad sectors with quality threat intelligence. Blending that information with additional industry intelligence for your organization is key. And keeping open lines of communication for threat intelligence with your peers in and out of your sector has become an imperative. Global corporate enterprise must sustain a unified front just as those one the other side have done.  

Do you have the talent?

Note if your team features at least someone with an intelligence background. If not, there is intellectual property, intelligence-based mindset and intelligence-focused culture that is missing from your threat intelligence discipline. 

What can it do for you C-Suite and Board?

Another good way to deduce if your threat intelligence is valuable is to consider how much of it has been ultimately shared with the C-Suite and Board. Ultimately shared here means that some action or communication was undertaken by you to them based on threat intelligence received. If that has not occured, consider how valuable the information is that you are receiving.

What can it do for your budget?

On the other hand, if you are consistently ultimately sharing information from your threat intelligence with the highest-level folks in the organization, they- by definition- are aware of the threats posed to the organization. From there it is important to connect the dots to the systems needed to thwart threats and truly reduce risk to the enterprise. Thus the business case for the budget needed is proven.