Operationalizing threat intelligence
Snapshot
The accelerating rate of high profile security incidents compelled this leading software company to rethink their approach to consuming and using security intelligence. Its security monitoring solutions were recording tens of thousands of security events every day, but the value and usefulness of this information as an indicator of risk was obscured due to lack of a practical threat intelligence data model or knowledge of its current security capabilities. For instance, the company had almost 90 security tools under consideration for funding, but was unable to determine if any of them would fill an important security gap.
The company developed a holistic vision of a solution that would organize the security intelligence it was generating internally, combine it with public security sources, and effectively apply risk factors to deliver timely, targeted reporting that could be used to prioritize security resources and investment. The organization requested support to test the viability of this approach, and to transform their database prototype into a flexible, across organizational Enterprise data warehouse solution.
Challenge
Kalles Group consultants were engaged to provide strategic support and to operationalize the vision. The vision’s three key phases included:
- Threat intelligence collection/reporting
- Security capability analysis
- Risk prioritization
As part of these phases, Kalles Group consultants
recommended the following:
- Selection and alignment with prevailing industry guidance.
- Standardization of threat collection.
- Organic development of taxonomy and vocabulary.
- Development of a multi-phased technology solution
build out.
Approach
During the initial phase, Kalles Group consultants deconstructed and refined the prototype data model, formalizing and standardizing threat vocabulary and taxonomy against Structured Threat Information eXpression (STIXâ„¢) standard. They defined and implemented a monthly threat collection process, delivered a multi-phase technology roadmap, and defined the first version of the enterprise solution brought to production.
During the second phase they built the organization’s security capability inventory of all tools in use across the organization, integrating it with threat intelligence data, estimating metric coverage against the CIS (formerly SANS) Top 20 Critical Security Controls, and documenting known gaps.
Results
Kalles Group consultants proved the practical viability of the company’s security intelligence vision by reconciling multiple data sources, recognizing critical data relationships, and delivering data algorithms that help expose security risk. The company used this data to generate informative security risk reports.
The monthly threat reporting process surfaces the most relevant public exploits to the company’s highest executive levels. In addition, its taxonomy and vocabulary is being adopted across the organization and its security capability inventory is being used to surface gaps to justify security tools investment. These successes are fueling momentum toward completion of the company’s complete security intelligence vision.
These successes are fueling momentum toward completion of the company’s complete security intelligence vision.