Establishing a System to Collect, Enrich, and Analyze Data to Generate Actionable Intelligence
In the era of data-driven decision making, the value of threat intelligence and interest in establishing or expanding threat intelligence programs is growing rapidly. However, the growing availability and access to data is outpacing the ability of these threat intelligence programs to leverage and operationalize it.
According to a recent Gartner report, “the value of (threat intelligence) services is sometimes constrained by the customer’s ability to afford, absorb, contextualize, and, especially, use the information provided by the services.”¹
In the meantime, the expected outcomes derived from intelligence in the private sector have started to skyrocket beyond traditional cybersecurity use cases.
End users span the breadth of the enterprise, from the CISO and CIO to Risk, Legal, Fraud and Loss Prevention, Product, HR, Public and Investor Relations, Corporate Development, and more.
Some applications we have seen are:
- Identifying threat actors’ malicious infrastructure used for command and control
- Determining an attacker’s additional targets to provide context around an incident
- Providing vulnerabilities and key man diligence on third-parties
- Identifying if a denial of service attack is targeted or opportunistic
- Enumerating infrastructure and signals from sophisticated threat actor activity
- Identifying third-party contractors selling access to their client’s network
- Attributing criminals selling merchandise stolen from a retail location
- Identifying assailants targeting a group of company executives traveling abroad
- Monitoring sentiment negatively affecting overseas operations in a hostile region
- Disrupting disinformation campaigns on social media platforms
- Attributing anonymous short-sellers, creating false information to manipulate stock prices
- Disrupting a criminal ring, conducting charge-back fraud on a platform
- Disrupting abuse of a web application maliciously used for command and control
- Orchestrating and automating data feeds to improve third-party risk management
- Understanding a clear picture of owned and managed IPv4 space
- Identifying an insider threat, leaking data with no network origination point
With so many potential stakeholders across an enterprise, threat intelligence teams must operate with agility and efficiency. It is critical that they deeply understand the collection, context, and analysis processes to curate customized intelligence generating specific actionable insights for a broad set of consumers.
This effort requires significant focus – threat intelligence teams need to ensure they manage information overload and onboard only those information/data feeds they can and will actually use.
Once a threat intelligence program has identified the problems they seek to address and the categories of questions they need to answer, they can then tailor efforts to collect, enrich, and analyze the right datasets to enable action against their diverse problem set.
Organizations looking to build an in-house program also need to develop a system and tools to develop efficiencies through automation and present data to analysts in an intuitive way. This facilitates tailored monitoring and analysis, supporting the mission of providing intelligence faster and with more accuracy.
Here are three key pillars we have observed that enable analysis to produce actionable outcomes:
Review and understand available data sources, selecting necessary streams of data based on curation of what is available and the needs of the enterprise.
- Leverage commercial subscription sources containing rich network and external telemetrydata, relevant to your enterprise with coverage and insight into the threats that matter
- Develop relationships with data brokers to acquire elusive data breach collections and other discrete data sources
- Automate collection of relevant open source data sets
- Retention and Modeling
Collect, transform, and store data in raw and unified formats.
- Data stored on cost-effective, scalable infrastructure
- Unified model of disparate data sets for flexible transformation and efficient correlation
- Visualization and Enrichment
Present data in efficient dashboards and enrich with technical and analytical expertise.
- Make complex data sources digestible to all analysts in an intuitive manner
- Combine input from technical experts and big-picture analysts to enrich data
Action is the essence of any intelligence function. While intelligence is not the “action arm” of any organization, its goal is to provide unique and tailored information to stakeholders that allow them to make timely and informed business decisions.
This can be as tactical as working with engineers to make architectural changes to an application or as strategic as identifying a breach prior to an upcoming acquisition.
The entire mission of the intelligence function is to ensure stakeholders are armed with information to make good decisions. For security stakeholders, a primary objective is to ensure security incidents do not develop into existential threats to the business. An intelligence program that operates with an efficient system to collect, enrich and analyze data is a powerful tool to help security leaders achieve that objective.
¹Market Guide for Security Threat Intelligence Products and Services, 20 May 2020