When ESG recently asked security professionals to identify the attributes of a mature threat intelligence program, the top response was “information dissemination with reports customized for consumption by specific individuals and groups”. However, many organizations don’t have mature threat intelligence programs and have yet to achieve this. ESG’s Jon Oltsik cites the 80/20 rule, where “80% of organizations have basic threat intelligence programs while only 20% are more advanced.”
Sharing customized threat intelligence with key users is not just a sign that your threat intel program is maturing, it’s a great way to build deeper understanding, demonstrate value, and garner broader support for the program. If you want to begin, or improve, sharing customized intelligence with key users, consider these four aspects as you develop your process.
1. Function. The threat intelligence team’s role is to provide products or services to many different internal customers, and each has different threat intel requirements to support their specific use cases. For example:
- The security operations center (SOC) needs indicators of compromise that have been contextualized to show they are relevant and high priority so they can add them to their SIEM watchlist for monitoring.
- Threat hunters need details of campaigns being run and adversaries’ motivations, targets and tactics, techniques and procedures (TTP), so they can look for activity that has bypassed defenses.
- The incident response (IR) team needs threat intel around adversaries, campaigns and the infrastructure used so they can accelerate comprehensive response.
- Vulnerability management teams need threat intel to help them understand their threat landscape and the likelihood of a vulnerability being exploited by adversaries that target the organization so they can prioritize patching.
- Executive leadership at the business unit, C-suite and board levels need metrics that matter to them and that instills confidence that the organization is taking the right steps to maintain a strong security posture and is able to mitigate damage when an attack happens.
2. Form. There is no “one way” to communicate. Different teams speak different languages and will apply threat intelligence in different ways, so it’s important to take the time to learn what type of communication will be most effective. For many technical teams actual feeds and dashboards work well, directly delivering the threat intel they need to do their specific jobs. Meanwhile, for executives and boards, a customized dashboard may work well for some and a PDF may be better for others. Either way, the content itself could be easily digestible and relevant to business leaders. Sticking with the typical metrics generated around number of events, alerts and incidents per month has far less impact than an update that contains the “who, what, when, where and why” of a thwarted attack, or whether or not they should be concerned about a recent attack that made the headlines.
3. Frequency. Each team also has very different expectations and requirements when it comes to how often they need to receive threat intelligence. In security, the more time that passes, the more damage can be done. Additionally, many security teams are focused on being proactive, so speed is of the essence. But sharing data that hasn’t been vetted and contextualized for relevance to the organization ends up wasting valuable time. Threat intel teams can use automation to augment and enrich data with context, so teams get the right data faster and can easily prioritize it for analysis and action.
Executives and board members have different requirements. Establishing a regular schedule for more formal communications, at a minimum quarterly, is a good start. However, threat intel teams should also be prepared to field ad hoc questions when a new vulnerability or threat is in the news and the CEO asks: “What is it?”, “Does it pertain to us?”, “How are we impacted?” or “What are we doing to defend ourselves?”.
4. Feedback. Finally, it’s important to ask your different customers for feedback to make sure they are getting what they need, how and when they need it. Advancing your threat intelligence program is a two-way street. You need to hear how your service is being used and if it isn’t you need to understand why and adjust accordingly. Tweak the format, further customize the threat intel, change the frequency – do whatever it takes to ensure the program is delivering value and considered a crucial tool for each of your organization’s security teams and leadership.
We’re halfway through 2023 and for many teams this is a good time to step back and measure progress against goals set at the beginning of the year. If one of your goals was to mature your threat intelligence program, conduct an honest assessment of how well you are doing at sharing threat intelligence with your different internal customers. There’s time to make relatively easy but high impact adjustments to showcase the value the threat intelligence program provides and turn it into a go-to resource that will strengthen your case for additional investment when budgeting season rolls around.