The role of security manager has rapidly become one of the most important parts of any IT team. With the cost of data breaches and other security incidents rising all the time, it's vital that these professionals have all the tools and resources they need to fight back against the hackers.
To do this effectively, you need to take a proactive approach. Simply relying on endpoint and perimeter security to block threats as they arrive is not enough in today's fast-moving environment.
It's therefore essential you have a full picture of what the current risk landscape looks like, and this means running a full threat intelligence program. This includes all the activities you undertake to gather information about the latest and most relevant risks and distribute this throughout your team, so that the best decisions can be made about your cyber defenses.
The 6 stages of the threat intelligence lifecycle
While threat intelligence management is a continuous process, it will typically follow a set format, with several essential stages that must be completed in order if you're to effectively identify the latest risks to your business and take the right steps to address them. These steps are as follows:
1. Direction
The first stage involves planning your goals and setting out the direction your efforts will take. This requires you to understand what specific challenges the business faces and what possible attacks will look like.
To do this, there are several key questions that must be answered. These include which malicious actors will be most likely to target the business, what they hope to achieve, and what assets must be prioritized for protection. This should also set out what the aim of the threat intelligence is. For example, is the goal to provide technical advice for cybersecurity analysts or a report for the C-Suite? These should lead to very different outcomes, so must be set out right at the start.
2. Collection
The next stage is the collection of data. This may include the use of a wide range of internal and external sources that can provide details on what threats are out there and what a typical breach may look like. The latest industry news, threat intelligence feeds, internal network monitoring logs, analysis of existing malware and discussions with cybersecurity vendors should all have important roles to play in this.
However, for a more comprehensive understanding of the wider threat landscape, you may need to dig deeper. Consider turning to information-sharing communities, dark web forums and subject matter experts to ensure you're getting the fullest possible picture.
3. Processing
Once the data has been collected, it needs to be sorted, cleansed and transformed into usable formats. This should include familiar data preparation techniques such as deduplication to eliminate redundant information. Tools to identify and remove any false positives or other inaccurate data will also be important.
Automation is likely to be essential if firms are to do this in a timely manner. Even small firms can generate far too much data to realistically process manually, so for large enterprises, the right cleansing tools that can operate at scale are a must-have.
4. Analysis
The analysis process is where you'll aim to answer the key questions posed during the direction stage. This means turning the raw data into useful intelligence that can be used for decision-making. It should identify any potential security issues and vulnerabilities as well as making recommendations for next steps.
This could involve reinforcing defenses, using techniques such as penetration testing to evaluate a new threat or identifying where resources should be deployed. However, these decisions can only be made if those viewing the data fully understand what it's saying, which leads into the next step in the process.
5. Dissemination
Once analyzed, you need to get this information to the right people, in the right format. This should be tailored to the audience's priorities and level of technical knowledge and may include Powerpoint presentations, memos, threat lists or live feeds. For reports intended for executive briefings, you should ensure complex and technical jargon is stripped out and the conclusions are concise, to the point and focused on the business case for action.
Security teams, on the other hand, will demand detailed, in-depth findings that spell out exactly where issues lie and what the technical reasons behind any vulnerabilities are. This will be essential in ensuring they're adopting the right remedies to address any issues. The ability to take the same data from the analytics stage and package it in the most suitable way for different teams across the business is the key to successful dissemination.
6. Feedback
The final step is to gather feedback from all the teams that have received threat intelligence reports to determine whether the conclusions meet initial expectations and where improvements could be made. This is an opportunity for stakeholders to highlight any parts of the reporting they don't understand or feel is irrelevant, as well as highlight anything that may be missing.
Results of these exercises should be used to inform the next round of threat intelligence, and should feed back into the direction stage for the ongoing lifecycle, thereby ensuring reports are delivering the most accurate findings and doing so in a timely manner.
Further reading:
- What Threat Hunting Techniques Should You Be Using?
- Track, Authenticate, Secure: 6 Best Practices for Successful PAM
- How To Identify Unseen Threats
Access the latest business knowledge in IT
Get Access
Tech Insights for Professionals
Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.
Comments
Join the conversation...