Aug 13, 2015

How to incorporate threat intelligence into security program?

What's the best way to amp up our efforts around threat intelligence? How often, and what steps should we take? We're able to put some resources on this, so details about putting a new plan in place are most welcome. Thanks!
All the hype about behavior analytics technology and the many startups funded in the space in the last year or so is really about threat intelligence. Done well, behavioral analytics aggregates, analyzes and measures anomalous events and connects them together to create a prioritized, far more intelligent view of the true threats facing an organization. It solves the big problem of how to discount the massive volumes of otherwise unimportant threat data. Start by reviewing and comparing these products. See how varied the data sources are they can consume, endpoint data, IP/data repository logs. e.g. PLM, SCM, Sharepoint, etc. Ask what intelligence they can show into the who, what, where and how of an attack. Can they work on premise or cloud? Asking intelligent questions about behavior analytics, how these vendors compare and how they can impact all aspects of security programs is great starting point.
There was a solid overview of threat intelligence in an article on Computerworld that you might also find interesting.

"The process of threat intelligence involves four stages:

1. Collection of threat information from a variety of sources
2. Reduction and analysis of the data
3. Conclusions about potential threats, based on analysis
4. Action

The deliverable is knowledge of a threat enough in advance to prevent a data breach, or at least to discover it before it becomes invasive. This discovery early in the process is an important point, because, according to the Verizon 2015 Data Breach Investigations Report, only 45% of breaches are discovered within days of the event. As with the Home Depot breach, many organizations do not find out until banks or other third parties file reports. Thus, even if data has already been lost, early discovery can limit the loss, and minimize damage to the corporate image."
There's a great read over at CIO Online on this topic:

Threat intelligence needs to grow up

An excerpt:

Threat Intelligence “To Do” List

Winnowing through the threat data to understand risks to the enterprise can be overwhelming. Here are five tips of where to start.

1. Know your environment in and out. While it sounds cliché, it’s an important first step in designing a threat intelligence pathway.

2. Don’t be distracted by noise. Knowing the difference between valuable threat data and noise will help enterprises understand the behaviors that are going on in their environments.

3. Do a risk assessment. Risk assessments are the first necessary step in crafting a pathway to mitigate risks. No risk assessment lengthens the engagement with a third-party vendor.

4. Share and share alike. Sharing non-compromising information will help security teams learn more about specific threats and allow them to understand the attack life cycle of wide spread attacks.

5. Research the services available. There are a lot of highly qualified and sophisticated services that offer automation tools and real-time risk assessment. Many platforms are able to aggregate the massive amount of data and determine which information is actionable.
Answer this