Threat intelligence is a key piece of a proactive cybersecurity strategy. The more business leaders know about threats that might adversely affect your organization, the more quickly they can make decisions to mitigate cyber risk, right?
Not always.
Unfortunately, there can be a breakdown between gathering intelligence and an organization acting on that intelligence. This might be due to information silos; it might take too long for threat intelligence to make it to decision makers, delaying key decisions.
Another problem is that leadership cannot see a connection between the threat intelligence and their business.This last issue is common, says Holden Triplett, former director of counterintelligence for the U.S. National Security Council.
“By and large we see a lot of intelligence come in and it’s very interesting, but it’s not much more than a news aggregation,” said Triplett during a webinar with Flare. “It’s given to an executive or to the board, and they may read it and say, ‘Well, this is fascinating, but I don’t know what to do with it. What does this mean for me in terms of taking action?’”
How can organizations operationalize their intelligence operations so that leadership can receive data in a timely manner, understand it and act on it? This article explores security intelligence, and delves into ways to make that data understandable, and most importantly, actionable.
What is Security Intelligence?
Security intelligence brings together threat intelligence and business so that the organization can respond swiftly and appropriately to relevant risks.
Security intelligence refers to the practice of gathering, analyzing and using data about threats to improve an organization’s cybersecurity controls. That information can be gathered from a range of sources, including, networks, applications, software, open source intelligence (OSINT), and personnel.
While the terms “security intelligence” and ”threat intelligence” may be used interchangeably, security intelligence usually refers to a larger process or strategy, while threat intelligence refers to the data being gathered and used as part of that strategy.
Types of threat intelligence
There are four types of threat intelligence. All are important to a security intelligence strategy:
- Strategic: Strategic threat intelligence offers data about the “why” of possible attacks. This information summarizes potential threats, trends, and their business impact so that nontechnical decision makers can understand them.
- Tactical: Tactical intelligence provides information about the tactics, techniques and procedures (TTPs) being used by threat actors. This type of data gets into the “how” of attacks and data breaches.
- Technical: Technical threat intelligence can be seen as the “when.” This type of data indicates to defenders that an attack is underway and helps them block the attack.
- Operational: Operational threat intelligence is used to anticipate future attacks. This information could be considered the “who” because it’s so specific to the organization.
Key Areas of Security Intelligence
To operationalize technical security, it’s important to ensure your threat intelligence follows a few key principles:
Real-time monitoring
Scrolling through log data is a thing of the past. In order for intelligence to be actionable and relevant, it must be as timely as possible. This means using intelligence to tools to scan for and analyze threats.
Standardization and analysis is key
As Triplett pointed out during the webinar, simply aggregating threat data is not enough for business leaders who need to make a decision now. It’s critical to analyze the information so that only the most relevant data is put forward. While this can be done manually, a platform can and should be used to sift through the data to find patterns most relevant to your organization.
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
The information must be useful
The goal of collecting security intelligence is to provide information your organization can use to make informed decisions. Security intelligence should be relevant to the organization’s cyber vulnerabilities. If security data isn’t actionable, there’s no point in serving it to executives or board members — it will only muddy the waters.
Advantages of Security Intelligence
Despite its challenges, security intelligence can make a huge difference to your organization’s cybersecurity posture. You can’t prepare for threats you don’t know about. Effective threat intelligence can help your organization strengthen cyber defenses, hunt for threats, remediate vulnerabilities, improve compliance, and streamline your cybersecurity processes.
None of these benefits, however, can be realized if the security intelligence isn’t being used by leadership to make fast and effective decisions.
Fortunately, there are a few key steps you can take to improve your security intelligence strategy and make your security intelligence actionable.
Tear down information silos
Information silos are never good news in a business. They are responsible for breakdowns in communication, a lack of agility, and sometimes, lost knowledge. All of those problems become worse when threat intelligence is involved, because unless threat intelligence gets to business leaders quickly, they can’t act in time.
Because threat intelligence and business leaderships often live in different silos, it’s difficult for relevant information to get to decision makers quickly. Evaluate your organization; are there departments operating in isolation? If so, it’s time to tear down the walls between them. An interconnected framework in your organization promotes a bias towards action in responding to threats.
Make data easy to understand
While it is tempting to present every detail of a threat to company leaders, or to get into the technical details, this is something you should avoid. This information can be too noisy for executives and board leaders, so the information should be “translated” to focus on what the threat means for business decisions.
Understandable intel is important; even the most relevant threat intelligence may go unused if it’s too vague or overly technical. Be mindful of your audience.
Connect intelligence to business goals
If an executive doesn’t know what to do with the threat intelligence you’re giving them, it may help to present the information in a way that correlates it with a business goal or problem.
Triplett suggests that analysts start with a potential action, such as improving compliance with specific regulations, and then work backwards to collect information that addresses that question. Successful threat intelligence programs, says Triplett, clearly scope intelligence collection and analysis requirements, then share the intelligence in a way that enables relevant stakeholders to take action
Use automated tools to scan for threats
Automated threat intelligence collection allows organizations to save time gathering, correlating and analyzing your intelligence. This frees up time for human team members to focus on higher order tasks, like leveraging the data to find gaps, or presenting that information to leadership.
Automated tools can help make the data understandable to business-side colleagues as well, by using natural language processing, which enables you to translate threat intelligence into conversational English.
How Flare Contributes to Security Intelligence
Flare’s platform allows you to automate security intelligence processes, like collection, correlation, and analysis. Our solution monitors malicious activity across the clear and dark web, as well as across illicit Telegram channels.
Flare’s platform offers easy-to-use integrations so that your team can build threat intelligence monitoring into their workflows and across their communication tools, getting intelligence to decision-makers quickly. With our AI technology, we prioritize threats to reduce noise so your security team can leverage threat intelligence effectively.
Try a free trial now.
