In the era of data-driven decision making, the value of threat intelligence and interest in establishing or expanding threat intelligence programs is growing rapidly. However, the growing availability and access to data is outpacing the ability of these threat intelligence programs to leverage and operationalize it.
According to a recent Gartner report, “the value of (threat intelligence) services is sometimes constrained by the customer’s ability to afford, absorb, contextualize, and, especially, use the information provided by the services.” 1
In the meantime, the expected outcomes derived from intelligence in the private sector have started to skyrocket beyond traditional cyber security use cases.
End users span the breadth of the enterprise, from the CISO and CIO to Risk, Legal, Fraud and Loss Prevention, Product, HR, Public and Investor Relations, Corporate Development, and more.
Some applications we have seen are:
With so many potential stakeholders across an enterprise, threat intelligence teams must operate with agility and efficiency. It is critical that they deeply understand the collection, context and analysis processes to curate customized intelligence generating specific actionable insights for a broad set of consumers.
This effort requires significant focus - threat intelligence teams need to ensure they manage information overload and onboard only those information/data feeds they can and will actually use.
Once a threat intelligence program has identified the problems they seek to address and the categories of questions they need to answer, they can then tailor efforts to collect, enrich, and analyze the right datasets to enable action against their diverse problem set.
Organizations looking to build an in-house program also need to develop a system and tools to develop efficiencies through automation and present data to analysts in an intuitive way. This facilitates tailored monitoring and analysis, supporting the mission of providing intelligence faster and with more accuracy.
Here are three key pillars we have observed that enable analysis to produce actionable outcomes:
Taking Action
Action is the essence of any intelligence function. While intelligence is not the “action arm” of any organization, its goal is to provide unique and tailored information to stakeholders that allow them to make timely and informed business decisions.
This can be as tactical as working with engineers to make architectural changes to an application or as strategic as identifying a breach prior to an upcoming acquisition.
The entire mission of the intelligence function is to ensure stakeholders are armed with information to make good decisions. For security stakeholders, a primary objective is to ensure security incidents do not develop into existential threats to the business. An intelligence program that operates with an efficient system to collect, enrich and analyze data is a powerful tool to help security leaders achieve that objective.
1. Market Guide for Security Threat Intelligence Products and Services, 20 May 2020