The most effective tool in your cybersecurity arsenal isn’t artificial intelligence or automated threat detection. It’s not your security operations center or the frameworks your business has adopted. It’s knowledge.
The more you know, the better equipped you are to identify and counter the various tactics and techniques used by threat actors. To that end, it’s imperative that you develop and implement a threat intelligence strategy sooner rather than later. Let’s talk about what’s involved in doing so.
Start with a Plan
First and foremost, you’ll need to identify your overarching purpose. What are you trying to achieve with the implementation of a threat intelligence strategy? More importantly, how will you measure success?
Per Forbes Magazine, common goals include:
- Reducing your attack surface
- Identifying compromised entities before an attacker can exploit them
- Managing data privacy risks
- Managing supply chain cyber risk
- Managing the risk of reputational damage
- Enabling more effective threat hunting
- Implementing a better incident response program
Engage Key Stakeholders
Once you have a clear plan in mind, the next step is to make sure you have the necessary support. You’ll want to start with organizational leadership, then from there, ensure you’ve buy-in from staff. After that, look outward to third parties such as business partners, vendors, contractors, and suppliers.
In addition to securing their participation, you’ll also want to assess their security posture and overall cyber maturity.
Figure Out What Data to Collect
Now for the most important step—figuring out where you’ll get your threat intelligence. Ideally, you’ll want your data sources to be as diverse as possible, regardless of your initial goal. Potential feeds include:
- Alerts
- Data from a Security Information and Event Management (SIEM) tool
- Internal data feeds
- Audits and reports
- Internal security tools
- Information collected from partners
- External databases
- Social media monitoring
- Dark web monitoring
You’ll want to ensure that you have a platform capable of orchestrating, digesting, and categorizing all this data. Otherwise, you’ll just end up with a confusing lump of unrelated information. The idea is to ensure everything is in a format that’s readable for human analysts, at which point they can contextualize it.
Determine How You’ll Leverage Your Intelligence
When it comes to visualizing, disseminating, and acting on collected threat intelligence, what will you do? How will your team determine whether or not a particular threat requires mitigation? How will your organization determine whether an alert is a genuine threat or simply noise?
Establish an Evaluation Process
Finally, it’s important to understand that like other cybersecurity initiatives, a threat intelligence program is ongoing. It’s not something you can simply mark as ‘finished’ at any point. With that in mind, you’ll need to figure out how to evaluate and iterate on your program, addressing bottlenecks and identifying potential improvements over time.
This includes the means by which you’ll demonstrate the program’s return on investment to leadership—metrics in this regard include:
- Number of misconfigurations identified
- Value of assets protected/losses prevented
- Threats avoided
- Active threats identified
For more on this, check out last month’s post on Defining Reasonable Cybersecurity!