Approaching the development of a Threat Intelligence Program is akin to any other mission-critical function. It is best managed as an important component of organizational intelligence supporting a business strategy, rather than a “check-box” item. If the latter, this function becomes a dizzying array of dusty relics offering little value, while it consumes time and resources.
The strategic objective of a well-crafted Threat Intelligence Program seems clear: To inform the organization about threats and vulnerabilities that pose risks to the organization’s mission. Threat intelligence is gleaned from peer, industry, media, and general business sources and contains actionable information, or at least information of some decision-making value.
Success comes through centralized management of Threat Intelligence Feeds, and distributed performance of the activities associated with those feeds. Those activities may include system patching, configuration changes, or worst case scenario, replacement of entire systems. Informative value might include anything that helps decision-makers during strategic planning, market analysis, system selection, budgeting, and controls design, to name a few.
The first step is to create a clear policy describing how the organization manages its program from end-to-end. The front-end of the program consists of selecting feeds from industry, government, media, and private vendor sources. Some sources are curated based on the systems in use and the industry to which the organization is a part. Others, like US-CERT, have value to organizations in any industry.
The back-end is how the information is actively used to make the organization smarter and more responsive. To parse and manage all the information, assigning a Threat Intelligence Librarian role is key. The Threat Intelligence Librarian will manage feeds, review the information presented, and distribute that information to appropriate resources.
Tracking activities associated with Threat Intelligence Feeds is also critical to understanding which feeds are useful. The librarian manages the data-store of threat intelligence the organization has used, so there is some historical foundation that can be used to derive metrics. This makes it possible to determine the value of feed sources over time. Feeds that don’t result in action or relay good information should be discontinued.
In addition to US-CERT, and applicable vendor Threat Intelligence Feeds, Information Sharing and Analysis Centers (ISACs) are a key source, and many industries have one. ISACs are peer threat intelligence / information sharing communities that are centrally managed. Feeds present pertinent information to the industries they represent, however they also produce mountains of not-so-pertinent information. Again, the librarian’s role is key to culling what is not useful and distributing what is actionable or valuable.
In my work, I often see this function serving limited value if it is treated as an Information Technology-centered tactical item with no global benefit to the organization. If treated as such, it quickly loses steam and becomes a tedious chore overwhelming any resources assigned to manage it. Careful planning, alignment with the organization’s strategic objectives, and well-managed execution of this critical function will make any organization better able to predict and avoid danger, respond to emerging threats, and thereby, improve overall resilience.
Build a Foundation for Cyber Resilience. An Information Security Policy provides the foundation for a successful Program to protect your information, prepare for and adapt to changing threat conditions, and withstand and recover rapidly from disruptions. Tyler can help with the development of your policy – or even assess your current one. Our methodology is collaborative in nature, and we work with your management and staff to incorporate existing documents and practices, as well as, develop new Policies, Standards, and Agreements where necessary.