Why We Wrote ‘The Threat Intelligence Handbook, Second Edition’
November 14, 2019 • Zane Pokorny
Today, cyber threats are coming from everywhere — the open web and dark web, but also partners and other third parties, brand attacks, and internal threats — and digital business risk is at an all-time high. This leaves everyone without a true, comprehensive view of their entire threat landscape vulnerable. Recorded Future’s goal is to provide that comprehensive view to help you reduce your risk.
That’s where security intelligence comes in.
The Recorded Future® Platform is the main way we give you access to the intelligence you need, but using it effectively first requires an understanding of how to get the most out of intelligence in general. To help develop that understanding, we wrote a book last year — The Threat Intelligence Handbook. It was a first step toward putting everything we knew at the time about threat intelligence into one place.
But things change quickly in the cybersecurity world, and we knew we could provide an even better foundation. That’s why this year, we updated the handbook with a second edition that expands our definition of a comprehensive security strategy beyond just threat intelligence into what we call security intelligence: an approach that includes brand protection and third-party risk management as two additional, essential pillars of cybersecurity alongside threat intelligence.
Before we get into the details of the new edition, it’s worth briefly discussing the question of how to get the most out of your intelligence. A word that comes up a lot in this context is “actionability,” as in, “Is this threat intelligence actionable?” This is a great example of business jargon that gets thrown around a lot without much care for what it actually means. Actionability can be a vague word, but the underlying concepts are essential.
We have used the word actionable and its derivatives many times throughout our publications — it’s an easy shorthand. But just as we’re moving toward a new paradigm of security through our concept of security intelligence, it’s also important that we provide a clearer, more illuminating explanation of what actionability actually entails.
In short, actionability refers to being able to cause a change that will have an operational outcome which can be measured and communicated. For something to be actionable, it must have certain criteria that can be meaningfully measured in consistent, unambiguous units — and whoever is measuring and reporting on that item must understand their audience well enough to effectively communicate that change. It can be further defined as:
- Taking an action that we expect to cause a change in our systems, processes, or workflows
- Measuring that change in certain, concrete ways (for example, a change in risk levels, an increase in productivity, or a reduction in spending)
- Knowing how to communicate that change in a language that our audience (for example, the rest of our team, our manager, or our organization’s board of directors) can understand through deliverables that contribute to a consistent cycle of action, reflection, and improvement
What often happens instead, in our experience talking about threat intelligence with our partners and clients, is that people will often say, “I need intelligence that’s actionable.” What that means to them is completely up to the interpretation and discretion of whoever else is in the room.
For example, deliverables for many organizations are things like daily or monthly reports that might get read by a few SOC analysts or executives — but what happens after that? In a troublingly high number of cases, the answer is that nothing happens after that.
Through no fault of their own, cybersecurity professionals of all kinds just have so much work to do and get so ingrained in their workflows, that oftentimes nobody stops and asks why these reports are getting produced. A big reason why is that they simply lack a framework of action — they don’t even know where to begin. Providing that framework, all in one place, is one of the primary objectives of the Threat Intelligence Handbook.
What You’ll Find in the Second Edition
In this second edition of the book, you’ll find a completely new introductory chapter on threat intelligence that breaks down what threat intelligence is and how every security function benefits from it, as well as two entirely new chapters — one on third-party risk reduction, and one on brand protection. Together, these three principles of the security intelligence philosophy provide the comprehensive view of your internal and external threat landscape, which every organization needs today to reduce cyber risk and stay ahead of threats of all kinds. This information comes alongside an updated introduction and foreword, a new conclusion chapter, and additional images, diagrams, and case studies.
As in the first edition, this book still deftly explains how security intelligence helps teams working in security operations, incident response, vulnerability management, risk analysis, threat analysis, fraud prevention, and security leadership make better, faster decisions and amplify their impact.
Security intelligence is a framework for amplifying the effectiveness of security teams and tools by exposing unknown threats, informing better decisions, and driving a common understanding to ultimately accelerate risk reduction across the organization. We’re thrilled to offer this second edition of the handbook as continued proof that Recorded Future is the number one resource to turn to for all things intelligence.
Get your complimentary copy of “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program” today.