Threat Intelligence Fits All: Learning to Build the Right Threat Intelligence Team for Your Enterprise
November 16, 2015 • Greg Barrette
Threat intelligence is the act of formulating an analysis based on the identification, collection, and enrichment of relevant information. To make a threat intelligence program work successfully, an enterprise must determine the right fit – that is, they must create an environment in which the right resources, right team members, and right goals are all in alignment.
The Enterprise Fit
Every organization’s enterprise fit is unique, but one thing is true of all organizations: applying threat intelligence to an existing business requires coalition building. Not all enterprises have a standalone threat intelligence team; many organizations embed this functionality within the incident response program, and some organizations have an ever broader composition within the general security or security operation center (SOC) functions.
“Organizationally, (in the enterprise) a threat intelligence capability may be comprised of a subsection within incident response, or it may be its own team. The threat intelligence program should provide deliverables to adjacent security groups and to the business itself, where possible,” writes Gundert in his white paper, “Aim Small, Miss Small: Producing a World-Class Threat Intelligence Capability.”
Trying It on for Size
There is no one-size-fits-all in today’s security landscape, especially as it relates to threat intelligence. Whatever your organization’s current makeup, to develop a successful threat intelligence program, the threat team must work well together and with other business units to understand the core business, existing operational defense workflows and requirements, and strategic assets.
Getting everyone on the same page and working towards a unified goal is not always an easy task, however. Recorded Future’s Levi Gundert recently recorded a webinar explaining how to overcome the political inertia that often accompanies building a threat intelligence team.
Like a Glove
Gundert shares how to avoid conflicts of interest and workload duplication by focusing on intra-organization collaboration. “The interaction and workflow between operational defense teams should be pre-planned, and technical details around data sharing should facilitate easy integration for the teams responsible for making security verdicts,” Gundert writes. He also provides a roadmap for creating a continuous feedback loop between the threat intelligence team and other operational functions that will help your enterprise facilitate data sharing and communication.
To learn how to create the right enterprise fit for your organization, download the white paper and watch the accompanying webinar.