Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Management & Strategy

Beyond Block and Tackle: How the Business Benefits from Threat Intelligence

Generally speaking, cyber security’s focus has been on detect-and-respond approaches. In the 2016 DBIR published by Verizon, the reported time for adversaries to get in and out of your network is measured in minutes (or seconds), whereas the time to even identify that you’ve been compromised is measured in days.

Generally speaking, cyber security’s focus has been on detect-and-respond approaches. In the 2016 DBIR published by Verizon, the reported time for adversaries to get in and out of your network is measured in minutes (or seconds), whereas the time to even identify that you’ve been compromised is measured in days.

To remediate threats, security has traditionally been about blocking and tackling. And there are a ton of tools and services out there… firewalls, AV, IPS, endpoint protection, and so on. Motivated cybercriminals are after high value targets and they often shift their tactics to evade detection – and they’re very good at it. Unfortunately it’s a lot like squeezing a balloon. If you squeeze one part, the other part will pop up, but if you go to squeeze the expanded section, the bottom will pop out.

So while the technical folks are scrambling to block the bad stuff from wreaking havoc, what’s the connection to the things the business traditionally cares about?

Consider the impact of successful (or ineffective) security on the company’s brand and reputation. What’s its impact on your legal and regulatory environment? How does it impact your bottom line? These are big picture questions that cannot be answered or measured by tactical security approaches. But they can be addressed by strategic and operational cyber threat intelligence.

The Threat Intelligence Stack and How it Ties to Your Business

When you look at the typical threat intelligence stack, you usually see discussion around “tactics, techniques and procedures” or “TTPs” and how they relate to the technical aspect of things. What is critically missing from the conversation however is how TTPs relate to risks against your lines of business. Too many organizational defenders are busy protecting an enterprise in the absence of asset priority. They don’t know what makes the organization run, what keeps it profitable, what its keys to growth really look like.

Every product and service your organization delivers depends on technology in some way to be successful. And because organizations continue to treat cyber threats as solely a technology issue and not as a business problem, they likely have little idea how that threat translates into a direct risk to the business unit delivering that product and service. And ultimately, the executive accountable for that product or service likely has little idea if they are well positioned against cyber risk.

To bring clarity to this issue and help your organization reduce uncertainty, each business unit head should start off with this simple question:  Are we well-positioned from a cyber security perspective, or are we not? If not, why not? Well-positioned means you know your risks and you have an acceptable level of measures in place to mitigate those risks – ultimately shrinking your exploitable threat surface and being prepared to act swiftly when necessary. It means you are aware of threats to your organization and to what degree those threats can impact a product, service, brand or regulatory posture.

Advertisement. Scroll to continue reading.

To answer this, you need to peel back the many layers of how your business runs.

Layers of Business ChartIf you look at your business unit, what are the products and services that the business unit is dependent upon? How much does the organization depend on that business unit for revenue? What is that business unit’s strategy? What is the mission or goal? What is the next level they are trying to get to? And then, what is at stake for the organization if that business unit was severely harmed by a cyber threat? This is your threat surface. Are there areas of the business that should receive more resource investment?

If you peel back another layer, you can examine the tools that support the product(s) and/or service(s) that you manage. Look at the infrastructure that supports these tools. Are there specific IT pain points? How is IT supporting the infrastructure? How is that infrastructure maintained? How much infrastructure is outsourced and is a supply chain at risk?  And finally, the crown jewels… information… what you need to protect and what adversaries are after. What information do you have that would be of value to an adversary? What liability and regulatory impact is there if they gain access to that information? How would brand and reputation be impacted if the information is compromised?

If you can’t answer these types of questions, start by using collected intelligence and eliminate the noise. As you think about the different types of intelligence that can be collected, know there are different uses:

Tactical intelligence – This is where “on-the-network” actions take place and this intel is specifically for defenders to improve detection and response techniques

Operational intelligence – One level up from tactical, this intel focuses on the immediate operating environment and is more adversary-focused

Strategic intelligence – For senior management, this intelligence is used to measure cyber risk and to guide proper investment and risk management decisions

All three types of intelligence help drive decisions and ultimately outcomes, but at different levels within the business. Tactical threat intelligence is where you start implementing within cybersecurity programs. Strategic and operational threat intelligence are the next steps, where intel moves from beyond the tech bubble and into the board room as part of a larger organizational risk discussion.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.