Security Threat Intelligence?


It is well known that security intelligence involves collecting data from various sources, including the dark web. It combines that data with insights from cybersecurity experts, and then distills the insights and data into intelligence. It could be threat feeds or weekly reports about network attacks, or even expert analysis of cyber risks. Security intelligence contributes to a wide range of roles and functions, and it protects organizations and their assets in a wide range of ways. You might not fully comprehend its power to reduce risk.

There are many types of cyber threats. It’s pretty much a given that some of these attackers are cybercriminals who attack at the firewall. They also include threats from the open web and the dark web that are delivered through your employees and business partners. Social media and external websites are used by some to damage your brand without ever contacting you. You may also suffer a data breach or reputational damage due to malicious insiders or careless employees. By the time you notice signs of these threats on your network, it is probably too late. It is important to have early warning of threats coupled with actionable facts in order to:

  • Prevent your most serious vulnerabilities from being exploited
  • Promptly detect probes and attacks and respond to them effectively
  • Prepare for potential attackers by understanding their tactics, techniques, and procedures (TTPs)
  • You should identify and resolve security weaknesses in your business partners, especially those who have access to your network
  • Watch out for leaks of information and impersonation of your brand
  • Invest in security to minimize risks and maximize returns

Data is important but there is more

Although security professionals use “data,” “information” and “intelligence” interchangeably at times, the distinctions are important.

Each type of intelligence program has its own specific set of data, information, and intelligence. For security intelligence:

  • Data are usually just indicators, like IP addresses, URLs, or hashes. Without analysis, data don’t mean much.
  • The information answers questions like, “In how many social media mentions has my organization been mentioned this month?” However, it does not inform a specific action directly.
  • Analysis based on the correlation of data and information from different sources reveals patterns and adds insight to intelligence. As a result, people and systems are able to take informed decisions and effective action to prevent breaches, address vulnerabilities, improve security postures, and reduce risk.
Every instance of security intelligence needs to be actionable for a specific audience, which is implicit in this definition of “intelligence”. Intelligence must accomplish two things:
  1. Provide direction toward specific actions or decisions
  2. Customized to fit the needs of a specific person, team, or system that will use it to make a decision or to act.
Intelligence does not come from data feeds that are never used or reports that are never read. Even the most accurate or insightful information is useless if it’s delivered to someone who can’t interpret it correctly or isn’t in a position to act upon it.

Who Benefits From Security Intelligence?

Sometimes, security intelligence is seen as a research service for security operations and incident response teams, or as a domain of elite analysts. Actually, it adds value to every security function within the organization as well as several other teams.

  • Security operations and response teams – Frequently, response teams are overwhelmed by alerts. With security intelligence, they are able to triage alerts faster, minimize false positives, provide context for better decision making, and speed up response times.
  • Vulnerability management teams – It is often difficult for security teams to distinguish between relevant, critical vulnerabilities and those that are unimportant to their organization. In this way, they are able to reduce downtime while patching the most critical vulnerabilities first.
  • Threat analysts – Threat analysts must be understood and their tactics must be tracked, as well as security trends by industries, technologies, and regions. With the help of security intelligence, they are able to gain deeper and more expanse knowledge that yields more valuable insights.
  • Third-party risk programs – Information about the security posture of vendors, suppliers, and other third parties whose systems are accessed by the organization is required. Security intelligence provides objective, detailed information about business partners that static vendor questionnaires and traditional procurement methods cannot provide.
  • Brand protection teams – A team must be able to monitor unapproved web and social media mentions, employee impersonations, counterfeit products, phishing attacks, and more. Tools for security intelligence monitor for and take down these across the internet at scale, and automate the takedown process.
  • International risk &physical security teams – Advanced warnings of attacks, protests, and other threats to assets are essential. The purpose of security intelligence programs is to collect data and “chatter” from multiple sources and analyze it to provide precise details about what’s happening in cities, countries, and regions of interest.
  • Security leaders and executives- Intelligence about threats and their potential business impact enables leaders to assess security requirements, quantify risks (ideally in monetary terms), develop mitigation strategies, and justify cybersecurity investments to CEOs, CFOs, and boards.