Threat intelligence is a loaded term in cybersecurity, often referring to the tactical data that makes our tools more effective. However, threat intelligence isn’t just for tool augmentation, such as tracking emerging threats, IP addresses, or binary signatures. Threat intelligence certainly involves those things, but it can be, and do, much more.
Threat intelligence, supported by data-driven cybersecurity teams, can bolster resilience and streamline operational tasks, and in this analysis, we’ll take a look at how.
Building a Data-Driven Cybersecurity Team
The foundation for optimizing threat intelligence is the data-driven team. A successful data-driven team contains professionals with diverse skill sets, including data analysts, security researchers, threat hunters, and incident responders.
Creating this team requires an overall organizational culture that is data-driven. Establishing this culture entails investing in the right tools, training, and processes to enable efficient access and analysis of data. It also entails getting into a collective headspace that prioritizes looking at the data first in order to solve problems. In my experience, getting into this headspace is partly about tools but also about exposure to different ways of working — ways that tap into the creativity often overlooked in cybersecurity work.
Which companies are the most important vendors in cybersecurity? Check out
the Acceleration Economy Cybersecurity
Top 10 Shortlist.
Leveraging Threat Intelligence For Operational Needs
Cybersecurity teams must collect and analyze data from various sources to effectively develop threat intelligence. Some of those data sources are external, like information sharing and analysis centers (ISACs), commercial feeds, and public reports. Then, there are internal sources such as network logs and incident reports. These internal sources offer information about an organization’s unique and personalized context. This information doesn’t necessarily have to be used just for tools within the security operations center (SOC); it can be used in cybersecurity functions such as awareness training, compliance, workforce development, strategic planning, and investing in new technologies.
Integrating a threat-based perspective into these functions will fuel resilience. Traditionally, this perspective is integrated into security tools like security information and event manager (SIEM) platforms and endpoint detection and response (EDR) systems that allow for the correlation of events, identification of patterns, and improved threat detection within the function of the SOC. This, alongside threat intelligence platforms (TIPs), is the core function of threat intelligence.
Let’s now take a closer look at how threat intelligence could be applied to operational needs, thereby streamlining and supporting a resilient cybersecurity program:
- Prioritizing security efforts: Focus resources on the most significant risks and vulnerabilities based on threat intelligence for a targeted and proactive approach. This also means connecting to sprint planning or backlog grooming efforts that correlate to project-related work.
- Enhancing incident response learning culture: Integrate threat intelligence insights into post-mortem or root cause analysis reviews. Teams can also do this retroactively and evaluate whether their understanding aligns with the conclusions drawn in the past. This can be very powerful when helping a team continue to learn, unlearn, and grow together.
- Improving security awareness: Enhance training programs with real-world examples of current threats and attack methods, helping employees understand risks and the importance of following security best practices. This can also feed into senior leadership updates and briefings.
Measuring the Impact of Threat Intelligence
A data-driven team should be looking at metrics to guide and inform how it’s doing with project and operational initiatives.
As you take threat intelligence into more diverse parts of your security program, look at the metrics for those other functions, not necessarily the traditional threat intelligence key performance indicators (KPIs) like mean-time-to-detect. For example, consider how many post-mortem or root cause analysis reviews were changed or updated based on integrating retrospective threat intelligence.
Looking at how your prioritization of work changes, and how frequently, based on threat intelligence insights is insightful as a reflection of how effective team members are at planning and adapting.
Closing Thoughts
Threat intelligence is essential in modern cybersecurity operations, but not simply in off-the-shelf ways of using it. By building a data-driven cybersecurity team and effectively leveraging threat intelligence for operational needs and tasks, organizations can extend the context gained through threat intelligence into more of what they do. Those tasks might be awareness training or planning and prioritization, but I recommend continuing to look for additional opportunities. To successfully measure their impact, ask questions about your team like: Are they agile? Are they adaptable? Are they becoming more effective?
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel:
