What are the first things that come to mind when you think about threat intelligence? Is it STIX/TAXII? CybOX? Third-party threat feeds? Indicators of compromise (IoCs)? These threat intelligence solutions all have one thing in common: They are mainly focused on the tactical level. That means they provide information to the tier-one and tier-two analysts within your security operations center (SOC).
Moved to Tiers
An effective threat intelligence capability is pervasive and persuasive up to the highest levels of an organization, including the chief information security officer (CISO), other executives and the board. It should have a firm grasp of information levels and flows and be able to provide actionable intelligence strategically, operationally and tactically.
Strategic
At the strategic level, threat intelligence is the ability to contextualize the perceived threat into what it means for the business. It presents highly relevant information clearly, concisely and without jargon and outlines mitigation strategies to aid in the decision-making process. This capability is absolutely vital. If intelligence is not behind the wheel of your security vehicle, what is?
Operational
Threat intelligence should be an indispensable component of any enterprise network’s day-to-day defense. Your threat intelligence analyst can help you understand how information flows between relevant teams and stakeholders, what actions should be taken and how it all relates to security policies, processes and procedures. Are your teams flooded with irrelevant information, or is there a steady stream of actionable intelligence?
Tactical
So your security strategy is now intelligence-driven, and the flow of information is entrenched in business-as-usual working practices. What now?
You might focus on delivering relevant, reliable intelligence to the lower-tier analysts at the security incident and event monitoring (SIEM) coalface. You can save valuable analyst time by scrutinizing the IoCs and feeds received with an understanding of the attack surface to filter out irrelevant information.
Threat Intelligence: Where to Start?
Need help developing your threat intelligence capability? See how IBM’s Security Intelligence and Operations Consulting (SIOC) services and X-Force Threat Intelligence can help you do things more intelligently.
Intrusion and Security Operations Specialist, IBM