In the first part of this series we talked about the journey to undertake building a security monitoring and incident response program based on five dimensions: analytics, governance, measurement, operational and organizational.
The third main program, also considered a primary capability of an effective Security Operations Center, is the development of tactical, operational and strategic Threat Intelligence acquired from multiple internal and external sources. This capability in an organization is not only consumed by the SecOps team but also by stakeholders at all levels whose goal is to be informed about technical and business risks and furthermore it dictates which detection, prevention, and containment actions should be taken against threats.
Threat Intelligence comes in various "forms and shapes" and it doesn't work in isolation but rather it is deeply integrated and influenced by many security practices and principles within the organization. A context-based and actionable Threat Intel needs to be built combining first and foremost:
- The threat model analysis of the asset (including the business operating model);
- The greater understanding of the objectives, intents, motives and level of capabilities (TTPs) of a threat actor;
While estimating the likelihood of the potential threat that can impact the business operations of the organization and trying to address who, what, when, where, why and how (5W1H).
Improve or even maintain a threat intelligence program requires organization-wide support and coordinated effort; the maturity model below gives a perspective to specifically develop a reference towards a sustainable program.
Level 1 - Initial (Processes unpredictable, reactive)
- Analytics - Collection and analysis of high-volume and variety of machine-readable threat intelligence feeds (mainly unfiltered domains, IPs, hashes and URLs).
- Governance - Threat Intel processes not qualified and partially documented; lack of integration with existing organization's workflows and policies; threat intelligence disconnection with security leadership and executives.
- Measurement - Quantity-centric metrics (e.g. number of IOCs, threat reports); KPIs partially generated only on specific phases of the threat intelligence lifecycle.
- Operational - Lack of capabilities to effectively collect and product intelligence; Threat Intel feeds sporadically disseminated and integrated with the organization's security ecosystems; limited grasp on the threat intelligence lifecycle and requirements.
- Organizational -Threat Intelligence practices and controls marginalized in the organization.
Level 2 - Managed (Processes developed but inconsistent, often reactive)
- Analytics - Context-based threat intelligence data analyzed, cross-correlated and refined for accuracy with the organization's business context and based on predetermined requirements.
- Governance - Set of processes and procedures developed but not constantly updated; still sporadic communications with non-IT departments.
- Measurement - Metrics and KPIs developed and available to drive mainly IT and security operations activities; metrics aligned between security operations effort and expenditure to protect the business.
- Operational - External (Sector/Vertical specific) and internal threat Intel data collected and available in a centralized platform and constantly reviewed, enriched and manually disseminated; continuously enhanced visibility into Threat Actor's TTPs.
- Organizational - Threat Intelligence Analysts identified and specific duties assigned.
Level 3 - Defined (Processes consistent across the organization, and are proactive)
- Analytics - Blended approach to actor-and-incident centric analysis; relevant and timely context-based threat intelligence produced and fused with internal telemetry; capabilities combined with the threat model analysis of the organization's business assets.
- Governance - Fully developed and sustainable corporate sharing policy and threat intelligence procedures across the organization; organizational-wide support on sharing information with internal functions and trustworthy entities.
- Measurement - Tailored Metrics and KPIs aligned to the business objectives, environment risks and developed to measure all phases of the threat intelligence lifecycle; Incidents detected, remediated and attack surface reduced over time; metrics regularly reported to the corporate leadership and management timely informed about business risks.
- Operational - Continuous integration, delivery and deployment (DevOps methodology) of threat intelligence for specific detection, prevention, control and response IT and security solutions (e.g. security monitoring platforms, DNS, Proxy, etc.) within the organization; threat intelligence data shared throughout the organization and with industry peers.
- Organizational - Dedicated Threat Intelligence team assembled; combined Threat Intelligence and Incident Response effort towards the generation of new intelligence.
Level 4 - Quantitatively Managed (Processes measured and controlled)
- Analytics - Unstructured threat Intel data (including national and international micro-macro trends) processed, correlated and timely prioritized with the business context of the organization and in combination with a large historical dataset and patterns from previously conducted incident response activities to produce reliable results.
- Governance - Central orchestration platform implemented to manage workflows and processes; continuous threat intelligence improvement program defined and followed at each level of the organization; management actively engaged in threat intelligence conversations.
- Measurement - Technical metrics are interpreted by both security operation and executives to find actionable advice for investment's prioritization and an understanding of emerging threats that could potentially impact the corporate's mission; metrics and KPIs used to drive corporate IT changes; confidence and validity of new sources is assessed and evaluated.
- Operational - Industry specific threat intelligence shared with peers in an automatic fashion and consumed in (near) real-time with M2M methods; comprehensive picture of the threat landscape.
- Organizational - Dedicated team with in depth skills on offensive security and threat trends; expertise available to identify, organize and analyze global and local cyber threats; close collaboration with "circles of trust" and with other departments.
Level 5 - Optimizing (Focus on process improvement)
- Analytics - HUMINT, OSINT and SIGINT are analyzed, collected and disseminated to specific stakeholders; signature-less detection capabilities are automatically produced and integrated into the security ecosystems; predictive intelligence is generated to continuously maintain an acceptable organization's risk profile.
- Governance - Threat intelligence fully aligned with the corporate business strategy and to support operational and strategic objectives; external threat intelligence reports affecting the organization's risk profile are regulated and encouraged by third-parties; leading role in the threat intelligence sharing community.
- Measurement - Strategical metrics produced and consumed by executives to find actionable advice and tune the greater corporate's mission; real time metrics and KPIs strengthened towards enabling the business.
- Operational - Threat intelligence data disseminated automatically through a centralized system with a clear guidance to resolve the threat in a timely and actionable fashion; continuous improvement through each stage of the lifecycle; predictive capabilities on treat actors and TTPs used.
- Organizational - Dedicated Threat Intel team and cross functional team built (including red team, security operations, security architecture, incident response, legal and marketing); legal team and regulatory concerns continuously addressed; overall program sustained by the leadership.
Finally, whatever point your organization resides on the maturity level, it is a crucial to think strategically and keep up to date with adaptive threat intelligence, security monitoring and incident response strategies to improve the overall organization security posture.
Definitely, threats are expected to grow in size and sophistication and silos between various relevant support business units only restrict the abilities of an organization to address correctly the challenges that the SecOps team face today.
Author: Demetrio Milea
Category: RSA Fundamentals, RSA Point of View, Blog Post
Keywords: Converged Security, CTI, Measure your Readiness, SOC, Threat Intelligence