Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Threat Intelligence Staffing to Evolve Security Operations

The structure of today’s enterprise organization security operations must evolve to compete with the growing threat landscape and sophistication of adversaries.

The structure of today’s enterprise organization security operations must evolve to compete with the growing threat landscape and sophistication of adversaries.

Most modern enterprises have invested heavily in technology and people focused on reacting to the array of daily attempts by various actors to breach an organization’s perimeter. The vast majority of security operations centers are built around technologies dependent upon known indicators. These technologies focus on consuming and correlating various data sources against these indicators to raise attention to the staff manning these centers. It has become a highly consumer-driven operation in which operators react to the attention of security focused systems with a specific or defined course of action. This environment leads to a mode of operation based on a high degree of reaction leaving proactive actions to the various vendors whose technologies support the enterprise’s security posture.

Staffing Security OperationsEvolution of this current model requires enterprise security operations to become more proactive in ferreting out behavior and risk that is not typically visible to a highly reaction-oriented environment.

One way for organizations to begin this evolution is to start investing in security operations staff focused more on proactively gaining intelligence of threats, behaviors and risk that are not prone to being detected by traditional means, or could be detected ahead of the threat identified by these traditional means. This evolution requires organizations to begin properly staffing threat intelligence analysts. Many forward-leaning organizations, specifically in the financial and government sectors have already begun integrating this function and role into their organizations, but far too many have not evolved.

Incorporating such personnel allows an organization to become much more proactive in assessing its risk. This involves looking beyond the perimeter to changes in Internet infrastructure, performing constant assessment of perimeter security controls as represented outside of the organization and identifying potential risks that third party vendors, suppliers and partners may introduce. This requires not being solely reliant on technology aggregating results but rather actively hunting for threats to an organization’s peers, changes in Internet exposed topology and resources and communications that may be telling of a compromise or loss of data.

These analysts augment the current security operations center by creating intelligence-based findings that expose valuable context to seemingly benign transactions from within their organization as well as outside the perimeter. They become responsible for tracking threats impacting other organizations and peers and proactively provide information back into the security operations center to take countermeasures ahead of the threat, should the threat or actors turn their focus to the organization.

Instead of waiting for a system to raise a red flag for attention, these individuals are actively pursing potential avenues of compromise and making the overall security operations center better prepared. It’s not simply ingesting a threat intelligence feed from a specific vendor, but the concept of taking in and understanding as many sources possible (open and proprietary) to stay ahead of this ever-evolving threat landscape.

Call to Action for Security Operations Teams

• Invest in people, technology, and policy towards more proactive methods of identifying and understanding threat behavior and countering threats

• Build a cyber threat intelligence function into the organizations security operations roles

• Enable analysts to gather intelligence and hunt for clues that exist outside or beyond the enterprise perimeter leading to detecting threats ahead of traditional means

• Consider the entire cyber ecosystem to include threats that may be leveraging third-party networks (vendor, supplier, and partners)

• Establish security countermeasures as an integral part of the organization’s security operations and active defense

Related: What Does Your Cybersecurity “A Team” Look Like?

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.