Using Threat Intelligence to Protect the Enterprise
If you are involved in Information Security in almost any way, you have probably heard the term “threat intelligence”. There are many misconceptions about what it truly is, ranging from data feeds, high-priced research analysis subscriptions, or that you need a dedicated team of SOC analysts to effectively implement threat intelligence. All of these notions are false.
Instead, threat intelligence includes information and analysis from a wide variety of sources, presented in a meaningful way for your organization. If properly used, it can be tremendously valuable and can be handled by your existing security staff, with the right tools and support.
Threat intelligence focuses on six distinct phases that comprise the “intelligence cycle”.
Direction – This phase sets the goals for your threat intelligence program, defining the assets and business processes that need to be protected. Defining the impacts of losing those assets along with setting the priorities on what to protect are key to this phase. Another component of this phase is determining the types of intelligence data needed to protect the organization.
Collection – This is the process of gathering the necessary information, including logs and metadata from the networks, servers and security devices. Subscribing to appropriate threat data feeds and maintaining awareness to industry news and cybersecurity events and incidents are also required. In other words, if you don’t know what is happening in the world around you, it could be happening to you, right under your nose.
Processing – This is the process of putting the collected information and data into a format usable by your security team. Since the data collected comes from different sources, in different formats, it needs to be assembled into a format that can be used by your organization.
Analysis – This phase is the process that takes the processed data and information into actionable items that can apprise decisions. These decisions or actions include investigating possible threats, taking actions to block emerging threats or strengthening security controls. Critical to the analysis is putting the intelligence data in a usable format and easy to understand and usable by the appropriate recipients.
Dissemination – This phase involves getting the completed intelligence data to the appropriate parties and users. This includes the proper format and medium to disseminate the information.
Feedback – Regular feedback is required to ensure that the evolving requirements of the users of the intelligence data are satisfied and the appropriate adjustments and changes to the data sources and outputs are made.
Without the right tools, security staff will focus their time of mundane tasks of collecting the information and data and then processing, instead of analyzing the data and developing actionable plans and tasks to enhance security. Using existing security tools, such as SIEMs in conjunction with analytic tools will help streamline workflows and processes, allowing staff to focus on intelligence outputs instead of manual processes to develop and create the data. With the appropriate tools, most organizations can develop an intelligence program with existing staff and resources and make those security team members more effective in their ongoing functions and tasks.