Operating on All Cylinders: Why Operational Data Is the Foundation of an Effective Threat Intelligence Program

Posted: 23rd November 2015
Operating on All Cylinders: Why Operational Data Is the Foundation of an Effective Threat Intelligence Program

Data is the foundation of all threat intelligence programs.

Without reliable data, threat analysts are unable to look for and find emerging threats to the business. With the wealth of data available from myriad sources, automated processing of external attack data is critical to the success of a threat intelligence program; manually ingesting and processing data is unwieldy, time-intensive, and far less accurate than automation. Getting the process of automating operational data right, therefore, should be a high priority for every organization.

“A useful threat intelligence program automates the processing of external attack data from all available sources. This ensures that an organization is aware of external attacks and that internal incidents are identified based on derivative internal searching using the external attack data,” clarifies Recorded Future’s Levi Gundert, in his white paper, “Aim Small, Miss Small: Producing a World-Class Threat Intelligence Capability.”

Putting the Pieces in Place

A mature threat intelligence program includes at least one full-time, talented, and experienced data architect, says Gundert.

The data architect designs systems and develops an automated workflow that allows him or her to quickly and easily store, process, and correlate internal and external data, which in turn allows for identification of threats. This individual will also lead efforts to work with external vendors that supply threat data, and build internal tools that automate the extraction of operational data from various and varying data delivery methods.

Gundert illustrates, “one data source may arrive via email and contain a CSV file or PDF file, and another data source may arrive via an API. Regardless of delivery and form type, operational data should be ingested and processed programmatically. “

Automating the collection, sorting, and correlation of operational data is just one aspect of a data architect’s threat intelligence responsibilities. Once the data has been processed, whether it’s from an external vendor or an internal system, the architect must then continuously tune the controls, based on the strategic analysis of the threat data, which help prevent future incidents.

Building Your Support Structure

Managing operational threat data is a challenging job that requires a high level of skill, patience, and constant refinement. There are many aspects to consider when defining the role of the data architect within a threat intelligence capability. Hear Gundert explain what elements should be included in the operational process – that which feeds the strategic analysis of the data – or download his new white paper to learn how to up your operational data game.

Want to learn more about Recorded Future’s threat intelligence solution?

Contact us today and we’ll show you how our threat intelligence can improve your data collection, sorting, correlation, and contextualization so that you can focus on finding emerging indicators of compromise to your business.