Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

How Humans “LEAD” the Way to More Effective Use of Threat Intelligence

When the theme, Human Element, was announced for RSA Conference 2020 (RSAC), I was gratified. It’s a topic I never tire of because not only do I believe that there is no “silver bullet” technology, I believe it’s the humans who really lead the way to greater security efficiency and effectiveness.

When the theme, Human Element, was announced for RSA Conference 2020 (RSAC), I was gratified. It’s a topic I never tire of because not only do I believe that there is no “silver bullet” technology, I believe it’s the humans who really lead the way to greater security efficiency and effectiveness. So, while at the conference I took the opportunity to view everything through the lens of the human element. More specifically, what companies are doing to better support and enable the practitioners and leaders focused on cybersecurity. One example that stood out to me was the LEAD framework created by Adobe to help their internal security teams make better use of the vast amounts of threat intelligence they collect every day.

LEAD stands for ReLevant, Efficient, Analyst-driven and Deliverable. It’s a perfect example of the symbiosis between technology and people to strengthen security posture. The framework leverages the fact that security professionals are the ones who understand their environment and security profile and are able to define risk. They’re also the ones with the experience to determine the right action to take in their environment. With the right technology, they can apply their understanding, experience and intuition for greater security efficiency and effectiveness. Let’s take a closer look at each aspect of the framework.

Relevant – As security professionals, we need to change how we look at the threat landscape. Instead of an “us against the world” perspective, we need to focus on a very specific world, your threat landscape – which is where the threat landscape at large and your own infrastructure characteristics and configuration intersect. You need a platform that allows you to aggregate external threat data from the multiple sources you subscribe to – commercial, open source, government, industry and existing security vendors. You then need to augment and enrich it with internal threat and event data, for example from sources including your SIEM system, log management repository and case management systems. This is how you can define the intersection and ensure relevance to your specific organization. 

Efficient – The next important task is to determine the right intelligence to focus on first and which can be kept as peripheral, so you can work efficiently. The ability to assign risk scores allows you to prioritize threat intelligence based on your risk profile. With parameters you set around source, type, attributes and context, as well as adversary attributes, you can filter out what’s noise for you and home in on what really matters to your organization. 

Analyst-driven – The processes of identifying what’s relevant and using scoring for prioritization are ongoing and require that humans remain in the loop. With a platform that also incorporates learnings from your security team and automatically recalculates and reevaluates priorities on an ongoing basis, you can keep up with a changing threat landscape. This continuous feedback loop ensures you stay focused on what is relevant to mitigate your organization’s risk and work efficiently. What’s more, as you gain a deeper understanding of adversaries, you gain confidence in your decisions on what actions to take and the comfort-level you need to automate tasks to move faster. 

Deliverable – With threat intelligence that is relevant, drives efficiencies and is analyst-driven, you can change how you communicate with your security infrastructure and to management. Applying relevant and prioritized threat data to your existing case management or SIEM solution allows these technologies to perform more efficiently and effectively – delivering fewer false positives. You can also use your curated threat intelligence to be anticipatory and prevent attacks in the future – automatically sending intelligence to your sensor grid (firewalls, IPS, EDR solutions, NetFlow, etc.) to generate and apply updated policies and rules to mitigate risk. And because you have greater insights into the threats you face, you can communicate more effectively about cybersecurity with your Board. You have the transparency you need to answer questions and provide greater detail in a clear and simple way that resonates with management and is relevant to the organization.

To derive the full value from external and internal threat intelligence, humans need to be involved at the right steps and time to effectively strengthen security posture. The LEAD framework demonstrates the necessary interplay between humans and technology. To learn more about the framework, watch the presentation Filip Stojkovski, Threat Intel Manager at Adobe, delivered at RSAC 2020.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...