How to turn threat information into threat intelligence

Infosec teams face a deluge of data every day from an array of network and application sensors as well as warnings from vendor and commercial intelligence feeds. What to do with all that threat intel is a question.

The answer, says Adam Meyer, chief security strategist at SurfWatch Labs, is to put it into context so the team can act on it.

In a blog  he warns CISOs that finished intelligence takes a lot of effort — in fact, he calls it a lifecycle process aimed at producing a deliverable that can be used by different groups the organization in numerous ways, depending on the level of threat intelligence.

Is that how your group approaches its job? If not, it’s not serving the enterprise very well. Sure there’s a lot of automation in your process. But, Meyer argues, that isn’t enough: There has to be analysis done by staffers to put the data into a context.

For example, Meyer’s team looks at a threat campaign through what he calls the “Avenue of Approach”, which tries to answer questions such as is there a specific organization or group the actor is going after, what vulnerability is being targeted, who is the payload being delivered, what level of presence (i.e. privileged accounts, database access, etc.) was used to carry out their attack and what is the impact (i.e. stolen IP, service downtime, etc.) caused by the attack.

The goal is to conclude what the threat is, how it works, what it targets, and what the impact is to an organization, Meyer insists. That leads to mitigation steps to help from an incident response perspective or in a risk planning and preparation manner.

“If you can not easily articulate the business benefit from your current CTI (cyber threat intelligence) efforts or have not defined them when looking to stand up a new CTI capability then you might be only collecting threat information and not conducting threat intelligence, ” Meyer warns.

Now is the time for CISOs to think about the threat intelligence their teams generate and the value it creates.

Would you recommend this article?

0
0

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News