3 Security Roles That Should Evaluate Their Threat Intelligence

October 17, 2018 • Zane Pokorny

Key Takeaways

  • Professionals working in security operations and incident response, vulnerability management, and security leadership can each leverage threat intelligence in unique ways to help with the different problems they face.
  • Identifying who in your organization is using threat intelligence, how they’re using it, and how effectively they’re using it is a critical first step to improving your security posture.
  • Our new Threat Intelligence Grader provides a quick assessment of your current intelligence program’s strengths and weaknesses and gives advice on how to improve.

Who in your organization is consuming threat intelligence? We always say here that threat intelligence must be timely and contextual for it to be useful. Understanding exactly how it’s being used in your organization, and who is getting the most out of it, is an essential part of developing effective threat intelligence.

In this blog, we’ll take a quick look at three different security roles that can benefit the most from threat intelligence: security operations and incident response, vulnerability management, and security leadership. Each role faces different problems, so they don’t necessarily benefit from threat intelligence in the same way or presented in the same format.

Threat Intelligence for Security Operations and Incident Response

Analysts who work in security operations and incident response are concerned with monitoring their organization’s network for threats, detecting suspicious activity, and doing something about it if there’s a threat. In practice, that means getting a lot of alerts and alarms — way too many, in most cases, with many of them being false positives or lacking context.

Threat intelligence helps security operations teams identify more threats and prioritize effectively, saving time and performing triage faster. Here are a few ways how:

Problem Solution With Threat Intelligence
Difficult to identify what’s important, too many false positives Enrich alerts with external context for better prioritization
Raw, standard threat intelligence integrated into solutions produces false positives Customize threat intelligence to improve fidelity and efficiency in security operations
Managing the volume of alerts is time consuming and inefficient Quickly triage alerts based on external data and display results directly in the SIEM
Relying on internal data limits visibility into real-world threats Discover unknown threats inside your organization based on real external data

To illustrate the usefulness of threat intelligence for security operations and incident response teams in more concrete terms, here are a few specific use cases:

  • Telemetry Correlation: Compare internal logs with external “known bad” data to find previously undetected infections or compromises
  • IOC Enrichment: Add new context to indicators of compromise (IOCs)
  • Live Event Monitoring: Review live or updated dashboards
  • Brand Monitoring: Alert on new, negative context mentions of brands, domains, takedowns, and so on
  • Network Infrastructure Monitoring: Alert on autonomous system numbers (ASNs) and/or IP address blocks
  • Internal Investigation Support: Search within a threat intelligence solution for IOCs or tactics, techniques, and procedures (TTPs) to get improved context, helping to provide recommendations on ways to improve security controls
  • External Technical Hunting: Search and alert on code or methodologies that accomplish different phases of the cyber kill chain

Threat Intelligence for Vulnerability Management

Like everyone else in cybersecurity, those who are concerned with vulnerability management have their work cut out for them — the number of reported vulnerabilities is growing (and rapidly) every year. No team could reasonably be expected to keep up with them all.

The key to effectively managing vulnerabilities is to prioritize them based on the true level of risk they present to your organization. Taking a “patch everything, all the time” approach is not only impossible, but unnecessarily conservative because so many vulnerabilities are never even exploited by threat actors (or don’t actually represent a significant risk to your network). Threat intelligence provides the context needed to figure out which vulnerabilities you need to focus on.

Problem Solution With Threat Intelligence
Limited contextual information makes prioritizing patching difficult Improve prioritization with real-world context on vulnerabilities
Relying on vulnerability databases results in delayed notifications and increased risk Significantly reduce risk by patching vulnerabilities as soon as they are discussed in the wild
Vague, non-quantified risk scores, often in the form of “stoplight charts” that show green, yellow, and red threat levels Custom risk scores that make defined measurements of risk based on factors uniquely relevant to your organization
Estimates about threat probabilities and costs that are hastily compiled, based on partial information, and riddled with unfounded assumptions Risk reporting that’s transparent about assumptions, variables, and outcomes, and show specific loss probabilities in financial terms

A few use cases for vulnerability management teams include:

  • Exploit Monitoring: Research threat actor personas to understand “who” and “why”
  • Vulnerability Scoring: Access and alert on real-time vulnerability risk scores

Threat Intelligence for Security Leaders

Security leaders like CISOs must take a big-picture approach. That means analyzing risk trends, setting strategic goals based on real threats to the organization, and maximizing the value of risk reduction investments. To do so effectively takes threat intelligence that provides a broad overview of both internal and external trends and the context needed to prioritize risks.

Problem Solution With Threat Intelligence
Dependence on internal data restricts view of real threat landscape Develop significantly broader view of real threat landscape external to the organization
Limited budgets make investment prioritization and timing difficult Effectively prioritize security spending for maximum risk reduction
Difficult to quantify overall risk exposure and impact of risk reduction measures Measure overall relevant risk exposure and produce reports for better communication
Managing multiple threat intelligence solutions limits value and effectiveness A single solution with centralized management, data, and updates delivers maximum value

One specific use case for CISOs is reporting. CISOs need to describe threats, risk trends, and defense strategies in non-technical terms — cost, return on investment, competitive advantages, and so on — to other business leaders to effectively get the point across. Reports need to be specific without being overly technical and show hard data to justify costs, and threat intelligence provides the context needed for effective reports.

How to Grade Your Threat Intelligence

If you’re wondering whether you’re getting the most out of the threat intelligence your organization produces now, our Threat Intelligence Grader can reveal some answers. It’s a quick, straightforward assessment that will help you evaluate the strengths and weaknesses of the intelligence program you currently have and give advice on how to improve. It asks questions like:

  • What are your organization’s threat intelligence goals?
  • Does your organization create its own internal threat intelligence data?
  • Is threat intelligence reporting delivered to key security policy decision makers in your organization?

To evaluate how well you’re using threat intelligence, try our new Threat Intelligence Grader today.