In the last few years, Cyber Threat Intelligence (CTI) has matured into a standalone program with its own staff, tools and processes. New feeds, internal teams and solutions have rapidly evolved to help compliment this new maturity. Using the SANS 2020 CTI Survey as a framework for a discussion about best practices as the adoption of threat intelligence increases, Mo Cashman from McAfee and Zeina Zakhour from Atos joined ThreatQuotient experts, Jonathan Couch and Ryan Trost, in a recent Cybersocial webcast, “The Evolution of Threat Intelligence.” 

One of the key takeaways from the SANS report that the group discussed is that organizations are defining and documenting intelligence requirements up front to ensure they are focusing on the right intelligence, which now includes not only external threat feeds and vendor-provided threat intelligence but also data from internal tools and teams. In fact, from 2019 to 2020 the percentage of organizations that use documented intelligence requirements to drive threat intelligence programs jumped 13.5% to nearly 44%. 

Advice the group shared for gathering CTI requirements, includes:

• Start by stepping back to understand your goals with threat intelligence and how it will be used.
• Use requirements gathering to gain executive support for the threat intelligence program. If leadership is interested in adversary attribution, then factor that into your requirements. 
• Tie threat intelligence to business strategy. For example, if your company is transitioning their presence from less brick-and-mortar to more online, then that impacts the lens through which you should look at the threat landscape and should be reflected in your requirements.
• Expand the group that contributes to requirements beyond threat intel analysts to include incident responders, threat hunters and security operations center (SOC) teams. Threat intelligence is a common thread that runs through these teams and ties them together, so the objectives and needs of all teams must be included in requirements gathering.
• Consider new types of users of threat intelligence. DevOps and DevSecOps teams are actively using CTI to inform the product development process.

Another interesting finding from the SANS report that the group discussed is around measuring the value of CTI. While 82% of respondents told SANS that their organizations find value in CTI, only 4% had processes in place to measure effectiveness. Eager to try to help organizations demonstrate the value of CTI programs, the group provided insights into where they see organizations gaining the most value and how to approach measurement. 

Areas of focus include: 

• Prevention. What did CTI help you stop? You should be able to measure this relatively easily through management tools provided by your CTI vendor. 
• Mean-time-to-response. This is an important metric for SOC teams to show much CTI contributed to accelerating investigations and finding and validating more incidents. Associating CTI with an incident or process can help you point to value. 
• Other use case success. Think about the other use cases for which you use CTI and how you define success to arrive at additional metrics, for example accelerating alert triage or proactively finding more threats on the network.
• Strategic value. Executive leadership and boards prioritize revenue protection, shareholder value and risk management. Using CTI to help them understand whether or not they should be concerned about an attack in the headlines, or how the work the various security teams are doing is protecting what they care about, are other ways to show and measure value.  

These are just two of the many topics the group discussed. Watch the webinar on demand to get more great tips and insights from these experts.

And if you haven’t read the SANS 2020 CTI Survey, downloaded your complimentary copy now.