Connect with us

Hi, what are you looking for?


Incident Response

How Humans “LEAD” the Way to More Effective Use of Threat Intelligence

When the theme, Human Element, was announced for RSA Conference 2020 (RSAC), I was gratified. It’s a topic I never tire of because not only do I believe that there is no “silver bullet” technology, I believe it’s the humans who really lead the way to greater security efficiency and effectiveness.

When the theme, Human Element, was announced for RSA Conference 2020 (RSAC), I was gratified. It’s a topic I never tire of because not only do I believe that there is no “silver bullet” technology, I believe it’s the humans who really lead the way to greater security efficiency and effectiveness. So, while at the conference I took the opportunity to view everything through the lens of the human element. More specifically, what companies are doing to better support and enable the practitioners and leaders focused on cybersecurity. One example that stood out to me was the LEAD framework created by Adobe to help their internal security teams make better use of the vast amounts of threat intelligence they collect every day.

LEAD stands for ReLevant, Efficient, Analyst-driven and Deliverable. It’s a perfect example of the symbiosis between technology and people to strengthen security posture. The framework leverages the fact that security professionals are the ones who understand their environment and security profile and are able to define risk. They’re also the ones with the experience to determine the right action to take in their environment. With the right technology, they can apply their understanding, experience and intuition for greater security efficiency and effectiveness. Let’s take a closer look at each aspect of the framework.

Relevant – As security professionals, we need to change how we look at the threat landscape. Instead of an “us against the world” perspective, we need to focus on a very specific world, your threat landscape – which is where the threat landscape at large and your own infrastructure characteristics and configuration intersect. You need a platform that allows you to aggregate external threat data from the multiple sources you subscribe to – commercial, open source, government, industry and existing security vendors. You then need to augment and enrich it with internal threat and event data, for example from sources including your SIEM system, log management repository and case management systems. This is how you can define the intersection and ensure relevance to your specific organization. 

Efficient – The next important task is to determine the right intelligence to focus on first and which can be kept as peripheral, so you can work efficiently. The ability to assign risk scores allows you to prioritize threat intelligence based on your risk profile. With parameters you set around source, type, attributes and context, as well as adversary attributes, you can filter out what’s noise for you and home in on what really matters to your organization. 

Analyst-driven – The processes of identifying what’s relevant and using scoring for prioritization are ongoing and require that humans remain in the loop. With a platform that also incorporates learnings from your security team and automatically recalculates and reevaluates priorities on an ongoing basis, you can keep up with a changing threat landscape. This continuous feedback loop ensures you stay focused on what is relevant to mitigate your organization’s risk and work efficiently. What’s more, as you gain a deeper understanding of adversaries, you gain confidence in your decisions on what actions to take and the comfort-level you need to automate tasks to move faster. 

Deliverable – With threat intelligence that is relevant, drives efficiencies and is analyst-driven, you can change how you communicate with your security infrastructure and to management. Applying relevant and prioritized threat data to your existing case management or SIEM solution allows these technologies to perform more efficiently and effectively – delivering fewer false positives. You can also use your curated threat intelligence to be anticipatory and prevent attacks in the future – automatically sending intelligence to your sensor grid (firewalls, IPS, EDR solutions, NetFlow, etc.) to generate and apply updated policies and rules to mitigate risk. And because you have greater insights into the threats you face, you can communicate more effectively about cybersecurity with your Board. You have the transparency you need to answer questions and provide greater detail in a clear and simple way that resonates with management and is relevant to the organization.

To derive the full value from external and internal threat intelligence, humans need to be involved at the right steps and time to effectively strengthen security posture. The LEAD framework demonstrates the necessary interplay between humans and technology. To learn more about the framework, watch the presentation Filip Stojkovski, Threat Intel Manager at Adobe, delivered at RSAC 2020.

Advertisement. Scroll to continue reading.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.