Blog

5 Steps to Actionable Threat Intelligence

With everything that can be said about threat intelligence, it’s interesting to see how some organizations continue to struggle with threat intelligence programs. Recent survey participants seem to have some issues with this technology and with integrating volumes of threat information into cohesive, actionable insight. There’s a point to be made here in that threat intelligence have significant security value, but only if the operational program itself can ingest information and tie critical issues to actions.

Many organizations have some form of threat intelligence or another. Whether it’s a subscription to threat information or a full-blown integration to third-party threat intelligence services, there are many looks out there just as there are many levels of success to consider. Every organization, however, can benefit from the personal and institutional integration of foundational steps that focus on using this information and protecting the organization from specific threats.

1. What needs to be protected?

It’s simple; the end matters and so does the means. Every organization has an identifiable body of assets that need protection as well as a matrix of risk that stems from this. This is where threat intelligence begins and where the foundation of data collection is defined, which leads to the data analysis that makes this information relevant. This information is then distributed to the right sources, the role holders and critical security personnel.

Data, logs, and reporting tools can all be well integrated from various sources: from the data center, the cloud, vendors, third parties, and anything in between. Making or repeating this step can uncover new horizons and insights into threat intelligence.

2. Do you really have a program?

Many organizations start out with data-feed-based threat intelligence. It’s everywhere and pretty easy to implement as a source for tactical security activity. However, this sort of threat intelligence integration won’t fulfill the tremendous advantage and promise of threat intelligence as a difference-maker. Whatever the quality of the security feed, there is an immutable truth that dictates that these feeds are slow, non-specific, and lacking context. One of the biggest issues in the industry is the overbearing task of making sense of vast data, faulty data, and weeding out false positive threat information. This is where contextualized information becomes critical, and a tool like Threat Intelligence Platform is so powerful. The product incorporates knowledge from vast troves of information from a variety of sources, making this information actionable.

3. Location, Location, Location

Take the task of looking at data. Map out how and where it’s collected, where it’s stored, and how people access this information. One of the problems organizations endure is having too many points of data with too many points of access. Data is most powerful when it can be correlated, integrated, and referenced in one (or as few as possible) locations. So whether this means creating a common dashboard, consolidating a bunch of data, or getting the business to accept security changes to make centralization possible, take a look at location as a potential improvement for actionable intelligence.

4. Integration

Referring back to step 3, centralizing the information is just as much at the point of analysis. You must also get threat information into the hands of the people that need it. The bigger the organization, the wider the task. Information that is specific to business units, data centers, and locations around the organization is critical to creating a complete, cohesive delivery of security information. Open source is a great tool, but technology providers can provide excellent availability throughout enterprise systems. Make sure everyone that needs the data can get access to it.

5. Gap-Based Intelligence

Daily updates on threats are available everywhere. Alongside these sources, many additional sources address the gaps that exist in many places throughout the environment. Every piece of hardware, every piece of middleware, operating systems, and applications inevitably fall out of valid status. Updates to these systems roll out frequently and the awareness of the status of relevant systems and technology platforms is critical to a healthy environment. Gap-based intelligence is every bit as important as specific threat information, and it can easily be integrated with or a companion to threat intelligence.

Remember that a threat intelligence program is multi-faceted and it must provide available information as far and wide as possible, as well as being accessible to all the right personnel as required. Actionable intelligence is the goal and the drive towards this goal is critical, especially in terms of its ability to research and verify information easily.