How Do You Roll Out a Threat Intelligence Program?

When you think of implementing a cyber threat intelligence program at your organization, you may believe it will take millions in resources to have the right technology, the right people and the right strategy in place.

But the truth is, with the right approach, any organization can not just implement a threat intelligence program—but succeed at it, and keep your organization safer from cyberattacks, even if you don’t have an unlimited budget at your disposal.

As part of a recent listening session with the Cyber Resilience Think Tank, I talked about the four steps any organization should take if they want to implement a threat intelligence program. Here’s a summary of those four points:

Conduct an inventory of your IT Systems

We all have a lot of systems in our security environments and they're casting off a lot of data. How do we understand that? How do we prioritize it? You've got to understand your inventory.

You need to look at all your hardware, software, cloud services and data types to better understand which ones are required to keep the business running—then prioritize.

Use open source threat intelligence

When I was chief security and privacy officer at a previous company, we didn't invest millions and millions of dollars on threat intelligence. What we did was gather that information from peers, partner with other organizations and use open source intelligence.

We used it tactically, but we also used it strategically and proactively because we created a quarterly review of the intelligence that we knew that we weren't harnessing, so that we could take a more proactive approach going forward.

For any company, a key facet of conducting threat intelligence is using open source intelligence that’s readily available. You want to use intelligence that’s specific to your industry and your technology portfolio.

When using open source threat intelligence, you should go in with the understanding that what you’re looking at may not be current. But it’s at least a start.

Start maintaining an incident database

Knowledge is power, and when it comes to threat intelligence, you can glean a lot of knowledge based on what you’ve already experienced. Knowing what you’ve experienced in the past so that way, you can understand root cause, and get in front of it going forward is key.

You can do this by gathering the information from what you’ve already experienced in an incident database of internal issues ranging from phishing emails to malware infections. Refer to this constantly as you determine the best course for technology and strategies for your program.

Know your security stack

You may have parts of your security stack that already have intelligence feeds that you aren’t using. Turn them on and start utilizing that intelligence. Additionally, you have to know how the parts of your stack integrate together or sometimes overlap so that you can manage the seams between them, because that's where you can also gain insights.

It’s all about being systematic in the collection of information, the interpretation of it, and then making good decisions tactically and having the right strategic dialogue so that you can take action to be proactive versus constantly reactive.