How Do You Roll Out a Threat Intelligence Program?
When you think of implementing a cyber threat intelligence program at your organisation, you may believe it will take millions in resources to have the right technology, the right people and the right strategy in place.
But the truth is, with the right approach, any organisation can not just implement a threat intelligence program—but succeed at it, and keep your organisation safer from cyberattacks, even if you don’t have an unlimited budget at your disposal.
As part of a recent listening session with the Cyber Resilience Think Tank, I talked about the four steps any organisation should take if they want to implement a threat intelligence program. Here’s a summary.
Conduct an inventory of your IT Systems
We all have a lot of systems in our security environments and they're casting off a lot of data. How do we understand that? How do we prioritise it? You've got to understand your inventory.
You need to look at all your hardware, software, cloud services and data types to better understand which ones are required to keep the business running—then prioritise.
Use open source threat intelligence
When I was chief security and privacy officer at a previous company, we didn't invest millions and millions of dollars on threat intelligence. What we did was gather that information from peers, partner with other organisations and use open source intelligence.
We used it tactically, but we also used it strategically and proactively because we created a quarterly review of the intelligence that we knew that we weren't harnessing, so that we could take a more proactive approach going forward.
For any company, a key facet of conducting threat intelligence is using open source intelligence that’s readily available. You want to use intelligence that’s specific to your industry and your technology portfolio.
When using open source threat intelligence, you should go in with the understanding that what you’re looking at may not be current. But it’s at least a start.
Start maintaining an incident database
Knowledge is power, and when it comes to threat intelligence, you can glean a lot of knowledge based on what you’ve already experienced. Knowing what you’ve experienced in the past so that way, you can understand the root cause, and get in front of it going forward is key.
You can do this by gathering the information from what you’ve already experienced in an incident database of internal issues ranging from phishing emails to malware infections. Refer to this constantly as you determine the best course for technology and strategies for your program.
Know your security stack
You may have parts of your security stack that already have intelligence feeds that you aren’t using. Turn them on and start utilising that intelligence. Additionally, you have to know how the parts of your stack integrate together or sometimes overlap so that you can manage the seams between them, because that's where you can also gain insights.
It’s all about being systematic in the collection of information, the interpretation of it, and then making good decisions tactically and having the right strategic dialogue so that you can take action to be proactive versus constantly reactive.
Do you need to explain threat intelligence to your stakeholders? A good start is our blog series, Threat Intelligence for the 99%.