An increasing number of CISOs are realizing the value of threat intelligence to protecting the enterprise, helping the infosec team doing the day-to-day defending. But if you don’t already have a unit/person assigned for doing this it may be daunting to start.
Adam Meyer, chief security strategist at SurfWatch Labs has written a useful two-part series for chief security officers who haven’t yet taken the plunge. In the first part he notes that leaders have to decide what is the goal of the data collection, what and how it should be collected, what finished, refined intelligence product should be produced, how and who it it should be delivered to and how should it be consumed.
The CISO also has to decide whether what is wanted is all or a combination of tactical, operational or strategic threat intelligence.
The second part talks about the two parts of a threat intelligence strategy: A collection plan and a management plan.
The collection plan is obvious: It has to define priorities and needs, sources of intel and what decision-makers need. Why a management plan? Because, writes Meyer, intelligence is not a project but a capability that needs to be run like a program. So the management plan looks at who will be the intelligence analyst(s), tools to be used, how managers make requests to analysts. and if the deliverables are useful.
If you are thinking about adding threat intelligence to your weapons these two columns are a good place to start.
You may also find this white paper from the SANS Institute, ‘Who’s using cyberthreat intelligence and how’ to be useful.