The Cyber5 Podcast

Building an Enterprise Intel Program

Episode 42 | March 31, 2021

In episode 42 of The Cyber5, we are joined by A.J. Nash, Senior Director of Cyber Intelligence Strategy at Anomali. A.J. discusses the steps and key components of building an enterprise intelligence program. Among the topics covered are frameworks, roles and responsibilities, critical skill sets, and metrics.

Here are the 5 Topics We Cover in This Episode:

1) Defining the Requirements with Key Stakeholders:  (02:16-04:30)

Defining the intelligence requirements necessary to ensure the success of business stakeholders should always be step one. Sales, marketing, engineering, customer success, information technology, legal, and human resources will have different requirements. The security or intelligence team must prioritize the requirements in the context of what is best for the business and what meets the needs of the stakeholders.

2) Security and Intelligence Should Be Viewed as a Business Enabler: (04:31-06:02)

Regardless of industry or company size, the second key to success is committing that the security and intelligence team will be an enabler of business and not a cost center. As a result of the nature of their business, the many regulations they face, and the assets they hold, the finance industry has led the way in building intelligence programs. Other industries are following their lead as criminals are branching out to target a wider range of digital assets and PII.

3) An Inquisitive Mindset is Critical When Building Intelligence Programs: (06:02-09:16)

The ability to view disparate pieces of information with an inquisitive mind, and then communicate business risk is a critical skill set. Businesses often look for a combination of public sector and private sector intelligence experience when building an intelligence program. While enterprises often start by hiring a technical leader, a key to success is building a team of individuals with inquisitive minds. For example, former journalists have been known to become fantastic enterprise intelligence experts.

4) Risk Must Be Prioritized: (09:17-17:57)

An intelligence program is no different than any other enterprise program. Profit and risk must always be considered, and intelligence should be driving security requirements to enable the business. An intelligence program should identify adversarial intentions and capabilities, estimate the risk and cost of a successful attack, and consider the costs of controls that need to be implemented to defend against such adversaries. This must be properly communicated to the CEO, who ultimately owns key decisions. Intelligence programs span fraud, information security, physical security, executive protection, trust and safety, third party risk, and mergers and acquisitions.

5) Important Metrics for Intelligence Program: (17:58-22:57)

Mature programs build and provide key metrics based upon intelligence requirements. Metrics should focus on actions that were taken, intelligence that was analyzed, the subsequent controls that were put in place, and the decisions that were made by key stakeholders. There are currently no well-defined and accepted frameworks for intelligence programs. Most programs combine several existing frameworks, including MITRE ATT&CK, which is specific to information security. Intelligence programs need to proactively alert on threats and risk and quantify the success and failure of actions taken.

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks