Last week, the great Mike Rothman (of Securosis fame) and I did a webinar titled: “Building a Strategic Threat Intelligence Program.” Mike is a great person to collaborate with; he has great advice, especially when it comes to building security programs. Our conversation was framed around recent Securosis threat intelligence research and you can get a complementary copy of it here.  One of the terms that Mike uses in the research is setting up your threat intelligence program for “sustained success.” I love this term. Many organizations are setting up their programs for failure, much less sustained success. It is important to remember that when it comes to long-term success, we are playing chess not checkers.


Image Source:

Much of our webinar was a back and forth discussion between Mike and I (No death by PowerPoint!) I captured some of the highlights here, you need to:

  1. Measure for success. Measuring the usefulness of threat intelligence can be a challenge, but that doesn’t mean that you should give up on it.  You can factor in your staff’s utilization. Are your staff more productive with threat intelligence? You can also look at the impact to adversary dwell time after an investment in threat intelligence. You could also look at the ratio of intrusions that become breaches; are they going down after an investment in threat intelligence?
  2. Properly set expectations. To have a chance as demonstrating the value of a threat intelligence program, you must first properly set expectations. A threat intelligence capability is no panacea and shouldn’t be sold as such.  Communicate your plan; give leadership a reason to be confident in your strategy.
  3. Look for quick wins. You should have a strategy to mature your threat intelligence capabilities; but make sure your plans aren’t so grandiose that it will take years to deliver results. The leadership that invests resources in a program have finite patience. Quick threat intelligence wins might be items like: the production of a monthly threat assessment, or calling out incidents avoided through the use of threat intelligence. When you find success, tell that story to the executives.
  4. Prioritize production over consumption. Many organizations focus almost exclusively on the consumption of external (free and commercial) threat intelligence.  You must not forget about producing your threat intelligence. You don’t have to be a Fortune 100 bank to do this either. Produce dossiers from the actual intrusions occurring within your environment. Collect the indicators as well as the tactics, techniques and procedures being used against your organization. You will be hard pressed to find more relevant threat intelligence.
  5. Think beyond the Indicator of Compromise (IOC). I refer to IOCs as Indicators of Exhaustion (IOE); they overwhelm your staff and security controls.  They often lack context and relevance (unless you are producing your own, see above).  Work your way up the Pyramid of Pain and start to think about campaigns and how the indicators are related.

Check out the webinar to hear about these in more detail. I’m going to expand upon some of these sections in future blogs. Stay tuned.

On a side note, if you aren’t familiar with Securosis, you are missing out. They have a transparent research policy and provide nearly all of their research for free. This is in stark contrast to the majority of analyst firms out there. In addition to great research they are irreverently entertaining.