Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Five Steps to Turn Threat Intelligence into a Threat Operations Program

Last month at the Gartner Security and Risk Management conference, I had the opportunity to speak with many CISOs, analysts and other security professionals. One of the common threads through many of these conversations was how to use threat intelligence more effectively to understand and act upon the highest priority threats facing their organizations. They have acquired multiple data feeds from multiple sources, but without the ability to sift through the data it has just become noise.

Last month at the Gartner Security and Risk Management conference, I had the opportunity to speak with many CISOs, analysts and other security professionals. One of the common threads through many of these conversations was how to use threat intelligence more effectively to understand and act upon the highest priority threats facing their organizations. They have acquired multiple data feeds from multiple sources, but without the ability to sift through the data it has just become noise. In addition, applying unfiltered threat data to their defenses is generating significant false positives. And now many are left scratching their heads – surely this isn’t the end game.  

For many organizations, threat intelligence is at an inflection point; it can either add to the complexity security teams struggle with on a daily basis, or it can provide clarity and enable a more secure future. Which way it goes will depend on your ability to turn threat intelligence into a threat operations program. Mike Rothman, analyst and president of Securosis writes that the inability to learn from attacks, prioritize risk and automate remediation, particularly given the security skills gap, isn’t acceptable. “We have to start thinking differently…building an operational process to more effectively handle the campaigns of adversaries,” Rothman recommends. 

In light of this advice, here are five steps to guide you in this journey from threat intelligence to a threat operations program.

1. Aggregate – Establishing a solid foundation for a threat operations program begins with changing how we collect and manage the millions of threat-focused datapoints that analysts are bombarded with every day. What’s needed is a way to bring all this global data together – some from commercial sources, some open source, some industry and some from their existing security vendors – in one manageable location and translate it into a uniform format to achieve a single source of truth. With all your external threat data aggregated for analysis and exporting, you’ve taken a big first step in operationalizing threat intelligence.

2. Contextualize – You then need to augment and add context to the data. One critical, yet not fully utilized resource to ensure relevance to your environment is internal threat and event data. By correlating events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository and case management systems) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack. Now you’re in a position to begin to analyze and determine which intelligence to focus on first and which can be kept as peripheral. 

3. Prioritize – All this data is great but due to the volumes, it generates a great bit of noise. Some threat data feeds and security vendors try to help reduce by publishing risk scores. However, those scores are universal. What you really need is to prioritize based on relevance to your environment.  And who is best to determine that for you – a vendor or yourself? What’s noise and a low priority for one business, may be exactly the opposite for another. Changing risk scores so that you can prioritize threat intelligence based on parameters you set around indicator source, type, attributes and context, as well as adversary attributes, allows you to filter out what’s noise for you. Now you can focus on what really matters to your organization rather than wasting time and resources chasing ghosts.

4. Utilize – Next comes using that prioritized threat intelligence to detect, respond, anticipate and prevent threats to your organization. When a threat does get through your layers of defense, you now have a single source of truth for better decisions and action. Applying this subset of threat data, specific to your environment, to your existing case management or SIEM solution allows these technologies to perform more efficiently and effectively – delivering fewer false positives. You can also use your curated threat intelligence to be anticipatory and prevent attacks in the future – automatically sending intelligence to your sensor grid (firewalls, IPS, IDS, NetFlow, etc.) to generate and apply updated policies and rules to mitigate risk.

5. Learn – The value of a threat operations program doesn’t stop there. Going back to step one, you can keep all this data and context in your repository, add more data and context over time and continuously tune your threat library.  Regular updates with pre-processed, contextual and prioritized data, along with the ability for security teams to add comments about their observations into the repository, allow you to capture what you’ve learned about adversaries and their tactics, techniques and procedures (TTPs). Continuous threat assessment – recalculating and reevaluating priorities based on a continuous flow of new data and learnings – helps ensure you’re staying focused on what matters in a highly dynamic environment and getting the most value from your threat intelligence.

Advertisement. Scroll to continue reading.

As organizations hone in on threat intelligence as a cornerstone to their security posture, they are creating their own Security Operations Centers, incident response capabilities and threat intelligence teams.  By turning threat intelligence into a threat operations program not only are you in a better position to reduce risk – now and in the future – but you can also increase protection through an integrated defense and scale, not just threat operations but your entire security operations. 

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Cybercrime

The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse.

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...