Here’s what you need to know on your threat intelligence journey.
Welcome to the 8th and final edition of our blog series, Threat Intelligence for the 99%. We’ve reached the end of the road for these blogs, but hopefully your road to threat protection, detection and prevention is just beginning.
As we wrap up the series, we want to provide you with six major takeaways. Keep these lessons in mind as you build your cyber threat intelligence (CTI) program. Remember, you aren’t doing this just to check a box. You’re doing this because you want to provide the best security environment for your organization.
Here are your six key takeaways:
Pick your threat intelligence feeds wisely.
There is a lot to consider when determining the right cyber threat intelligence feeds for your program. Much of this comes down to what you want to get out of your program and what feeds provide the most value.
Get articles like this delivered to your inbox every week. Subscribe to Cyber Resilience Insights today.
You can choose free feeds or paid ones. The free ones might work for you but be prepared for them to be behind the paid ones. Plus, not-for-profit feeds sometimes don’t get updated for months at a time, so they need to be checked consistently.
Paid feeds can be great, but know what you’re getting for your money, and have a sense of what you really need for your organization.
You will need new cybersecurity skills.
For security professionals, skills will be needed to do comprehensive CTI that perhaps aren’t in their background. Coding is the big one here, because you need that skill to be able to enrich your data so it can become actionable intelligence.
Understanding database concepts is also a key skill needed to use enrichment tools, because you’ll need to design data structures that are meaningful enough to drive action on the threat intelligence you receive.
Constantly check your work.
Be prepared to constantly check, question and evaluate your work. A great deal of effort and energy must go into checking the efficacy of the feeds and tools you’re using for gathering intelligence. Otherwise, you run the risk of basing your findings on stale, outdated or just plain wrong information. That’s the last thing you want to do.
Have a strong, clear information governance process to guide you while you work through your data. This will prepare you for anything that comes at you while doing CTI work.
Take a preventative and detective approach.
By integrating your CTI systems and data into your existing system (including but not limited to your firewall, web proxy, file integrity management, etc.) you’re taking a preventative and detective approach to CTI that will help keep your environment safer.
Similarly, you need to take the time to integrate with your security information and event management system. It’s your security system of record and think of it as your “canary” to tell you about the threats you’ve already faced and ones that may be lurking around your system now.
Report on your success.
If you don’t provide executive reporting back to your business on how your program is doing, your program won’t last. That’s because the people who make budget decisions will determine your program isn’t worth keeping.
Choose no more than one-to-three metrics to provide as part of your executive reporting, and I would submit that the one you most want to focus on is “feed to action time.” This shows how long it takes for an indicator in your feed to turn into actionable intelligence. The shorter the better.
Share what you find.
The internet is still effectively the Wild West. It’s dangerous and there is still no police function. Whether you want to call it vigilantism or a neighborhood watch, we must protect each other and the only way we’re going to do that is through sharing.
Sharing can be done through a formal program such as Information Sharing and Analysis Centers or through regional, smaller sharing functions, you need to get involved because at some point you may learn more from your peers than you will from your feeds.
Now, it’s time to start your CTI program. Good luck.
Here are the links to the other seven posts in this series:
Want to learn more about how to boost your threat intelligence program? Come see us at RSA Conference at the Moscone Center in San Francisco at Booth 935 from March 4-8.
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly