1. Integrate Threat Intelligence Into Your Security Operations
Action beats reaction.
Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 – 2016 Info-Tech Research Group

2. ANALYST PERSPECTIVE
Intelligence fuels an organization’s ability to stay ahead of the next threat by taking proactive measures to protect their brand, business operations, and technology infrastructure. Threat intelligence enables the business to make informed decisions that are critical when monitoring brand equity, awareness, and technology used to facilitate business.
TJ Minichillo,
Senior Director, Security, Risk & Compliance Info-Tech Research Group

3. Our understanding of the problem
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Security/IT Management
Threat Intelligence
Security Operations
Security Incident Response
Vulnerability Assessment/Penetration Testing
Patch Management
Enhance your security program by providing context and actionable intelligence to address the increasing sophistication of cyber threats.
Streamline and optimize threat collection, analysis, and dissemination processes.
Increase organizational situational awareness through active collaboration between core security teams, enriching internal security events with external threat intelligence, and enhancing security controls.
Develop a comprehensive threat analysis and dissemination process.
Board/Chief Executive Officer
Information Owners (Business Directors/VP)
Security Governance & Risk Management
Human Resources and Legal
Public Relations, Marketing, Corporate Communications
Corporate/Physical Security
Fraud Operations
Aid decision making by staying abreast of cyber threats that could impact the business.
Increase visibility into the organization’s threat profile to identify likely targets or identify exposed vulnerabilities.
Ensure the business is compliant with regularity, legal, and/or compliance requirements.
Understand the value and return on investment of threat intelligence offerings.

4. Executive summary
The increasing use of sophisticated malware is making it difficult for organizations to identify the true intent behind the attack campaign, which in turn makes defending against and preventing those attacks a challenge.
Poor situational awareness can leave your organization vulnerable to the latest attacks, hinder business practices, workflow, revenue generation, and damage your public image.
The increasing prevalence of public data breaches is highlighting the importance of proactive defensive measures.
Information alone is not actionable. A successful threat intelligence program contextualizes threat data, aligns intelligence with business objectives, and then builds processes to satisfy those objectives.
Your security controls are diminishing in value (if they haven’t already). As technology in the industry evolves, threat actors will inevitably adopt new tools, tactics, and procedures; a threat intelligence program can provide relevant situational awareness to stay on top of the rapidly-evolving threat landscape.
Your organization might not be the final target, but it could be a primary path for attackers. If you exist as a third-party partner to another organization, your responsibility in your technology ecosystem extends beyond your own product/service offerings. Threat intelligence provides visibility into the latest threats which can help you avoid becoming a backdoor in the next big data breach.
The threat intelligence implementation process can be difficult if an organization does not align its intelligence needs.
Many organizations are developing ad hoc intelligence capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of their security technology investments.
It is difficult to communicate the value of a threat intelligence program when trying to secure organizational buy-in to gain the appropriate resourcing.
There is a vast array of “intelligence” in varying formats – often resulting in information overload.
Use our proactive, intelligence-driven security program that addresses the increasing sophistication of cyber threats which could impact the organization’s brand, business operation, or technological infrastructure. This blueprint will walk through the steps of developing a flexible and systematic threat intelligence program relevant to your organization.

5. Establish an Intelligence-Driven Security Operations Practice
Threat intelligence is more than just a buzzword.
At Info-Tech, we define threat intelligence as the production of actionable intelligence facilitated through various collection, analysis, and collaboration activities. Threat intelligence increases visibility of the threat landscape and helps to mitigate cyber threats.
The use of sophisticated malware, along with highly cooperative hackers for hire, makes it difficult to attribute responsibility for the entities behind corporate computer network intrusions…”
– Errol Weiss, Director of the Cyber Intelligence Center Citigroup.
Threat intelligence includes:
Creating situational awareness by collecting and aggregating indicators of compromise (IOCs) with affiliated threat actors.
Identifying threat actors: IP addresses, domain names, network traffic content, addresses, user names, file names, file hashes.
Proactively identifying attack methods: phishing, malware, DDOS, etc.
Acting on relevant data to improve incident response times, vulnerability patching efforts, and prepare for future attacks coming down the road.
Designing a structured data analysis process that contextualizes threat data.
Creating formalized communication processes to streamline escalation procedures and disseminate intelligence to the appropriate stakeholders.
Source: Errol Weiss, Before the House Financial Services Subcommittee
Simply put, threat intelligence is a combination of people and process, not just a product. It is the collection, classification, and correlation of data about relevant threat actor campaigns, cyber tools, tactics, and procedures published to various tactical, operational, and strategic stakeholder communities.

6. Data breaches are resulting in major costs across industries
Incident detection and escalation costs:
Forensic and investigative activities, assessment and audit services, crisis team management, and communications to executive management and board of directors.
Average costs are at an all-time high of $0.61 million per breach.
Notification costs:
Creation of contact databases, determination of regulatory requirements, engagement of outside experts, postal expenses, secondary contacts to mail or bounce-backs, and inbound communication set-up.
The average cost was $0.56 million per breach.
Post-data breach costs:
Help desk activities, communications, investigative activities, remediation activities, legal costs, product discounts, identity protection services, and regulatory interventions.
The average cost increased to $1.64 million per breach.
Lost business costs:
Abnormal turnover of customers, increased customer acquisition activities, reputation losses, and diminished goodwill.
The average cost was $3.72 million per breach.
Average data breach costs per compromised record hit an all-time high of $217 (in 2015); $74 is direct cost (e.g. legal fees, technology investment), and $143 is indirect cost (e.g. abnormal customer churn).
Source: 2015 Cost of Data Breach Study: United States: Ponemon Institute

7. Threat intelligence provides significant organizational value
Value of Developing a Threat Intelligence Program
Short-term: Streamline the process of formalizing a threat intelligence program tailored to your organization-specific strategic needs. Assess current operational gaps and begin to tailor your unique threat intelligence process in a structured manner.
Long-term: Greater visibility into your immediate threat environment. A well-defined intelligence collection plan will result in better threat mitigation and analysis, and will ultimately improve defenses and organizational situational awareness.
Impact
Impact
Improved effectiveness of internal defense controls such as security information and event management (SIEM), next generation firewalls (NGFWs), intrusion prevention system (IPS), intrusion detection system (IDS), secure web gateways (SWGs), anti-malware, and anti-spam packages.
Increased operational efficiency in terms of asset management, human capital management, etc.
Reduced probability of breaches while improving internal network defences.
Improved standardization of data collection, analysis, and publication.
Increased visibility into the threat landscape.
Enhanced overall security posture.
Value of Info-Tech’s Threat Intelligence Blueprint
Formalized standards and processes tailored to your organization.
Templates and tools to facilitate intelligence collection, analysis, and collaboration.
Streamlined planning, collection, and analysis processes.
The creation of historical intelligence to enhance continuous improvements.
Strategy to incorporate intelligence into relevant security operation processes such as incident and vulnerability management.
Process around effective maintenance and optimization of your threat intelligence operations.
33% of CISOs estimate their organizations will lose over $10 million this year due to data breaches.
– CEB, 2015

8. Benefits and outcomes of a threat intelligence program
We believe that threat intelligence is for every organization. Many firms are currently interacting with threat intelligence in an informal way – implementing a threat intelligence program will turn informality into action.
Threat intelligence creates a more structured and holistic approach towards security by characterising threats and ingesting intelligence into business operations.
See 26% or more better context, accuracy, and/or speed in monitoring and incident handling.
Tactical Benefits
Identifying threats earlier in the intrusion kill chain.
Ingestible indicators to establish a more proactive perimeter defense.
Focused efforts on the most dangerous threats and vulnerabilities.
Prioritized threat indicators to rapidly identify potential events.
Note that threat intelligence improved visibility into attack methodologies.
Operational Benefits
Improved situational awareness; data is provided with context, allowing security operations teams to shift their investigation from individual indicators to attackers’ tactics, tools, and procedures.
Improved internal security systems; security controls can be configured to ingest threat intelligence and automatically block relevant indicators of compromise.
Reduced incident response times through the contextualization of incidents with intelligence stored in knowledge portal.
A more intelligence-driven patch management process. Threat intelligence provides actionable vulnerability and exploitation data to identify critical vulnerabilities to patch.
See faster and more accurate detection and response.
Strategic Benefits
Cite reduction in incidents through early prevention due to threat intelligence.
Improved organizational situational awareness; executives can understanding relevant threats and appropriately allocate resources where necessary.
Improved internal and external communication with top executives and board members about risks to the business, the probable actions of adversaries in the future, and the return on investments in security.
Source: Who’s Using Cyberthreat Intelligence and How?, SANS survey respondents, 2015

9. Measured Value for Guided Implementations
Engaging in GIs offers valuable project advice and significant cost savings. GI
Purpose
Measured Value
Phase 1: Planning
Understand the basics of threat intelligence.
Assess your organization’s current threat landscape.
Map out your target state.
Establish organizational buy-in.
Develop a threat intelligence team.
Strategically map out your threat intelligence process.
Time, value, and resources saved using our threat intelligence industry expertise, best practices, and templates:
1 Senior Intelligence Executive: 1 day x $2,800/day = $2, Intelligence Analyst: 2 days x $1,200/day = $2, Project Manager: 2 days x $800/day = $1,600
Phase 2: Collection
Design a threat intelligence collection strategy.
Normalize intelligence by adopting industry-recommended standards and languages.
Understand the different collection solutions to identify which best supports your needs.
Ensure your collection methods produce actionable data.
1 Senior Intelligence Executive: 2 days x $2,800/day = $5, Intelligence Analyst: 5 days x $1,200/day = $6, Project Manager: 1 day x $800/day = $800
Phase 3: Analysis
Understand the threat intelligence analysis process and responsibilities.
Optimize the analysis process to increase operational efficiency.
Act on the gathered intelligence.
Develop top-priority intelligence runbooks.
Establish a comprehensive threat knowledge portal.
1 Senior Intelligence Executive: 1 day x $2,800/day = $2, Intelligence Analyst: 3 days x $1,200/day = $3, Project Manager: 1 day x $800/day = $800
Phase 4: Collaboration & Feedback
Understand the value of intelligence dissemination.
Begin producing actionable intelligence alerts, reports, and briefings.
Develop a continuous improvement cycle.
1 Senior Intelligence Executive: 1 day x $2,800/day = $2, Intelligence Analyst: 2 days x $1,200/day = $2, Project Manager: 1 day x $800/day = $800
Total Costs
To get a threat intelligence program off the ground.
$ 32,400

10. Track metrics throughout the project to keep stakeholders informed
Metrics are key to the ongoing success of your threat intelligence program.
Besides trying to reduce the overall number of threats your organization experiences, you are also trying to reduce the time and cost associated with identifying and mitigating incidents.
Most organizations are inefficiently (if at all) hunting for threats, increasing the risk and costs associated with reactive mitigations.
Metrics will assess the current status of the overall security program, identifying areas to improve through training or new preventative/detective technology.
Metric Description
Impact
Mean time to detect incidents
Faster detection will lead to faster remediation; less damage if detected early.
Encounter rate: Number of IOCs received
Increased situational awareness – improved awareness positions organizations to better prepare and defend against threats.
False positive rate: Number of redundant indicators
Measures the overall accuracy and efficiency of your threat intelligence collection process.
Threat escalation rate
Faster remediation narrows the window of opportunity for threat actors.
Internal vs. external incident rate
Identifies which threat intelligence controls need prioritization.
Threat classification: Type of threat actor and threat method
Qualitative measure of the type of adversaries and their tactics.
Threat intelligence success rate
The number of threats blocked – assign each threat an estimated damage value and calculate year-to-date cost savings and return on investment values.
Feedback scores and comments
The aggregated score on the overall quality of disseminated indicators based on survey respondent feedback.

11. Best-Practice Toolkit Guided Implementations
Integrate threat intelligence into your security operations project overview
Planning
Intelligence Collection
Intelligence Analysis
Collaboration & Feedback
Best-Practice Toolkit
1.1 Understand the basics of threat intelligence.
1.2 Assess your organization’s current threat landscape.
1.3 Map out your target state.
1.4 Establish organizational buy-in.
1.5 Develop a threat intelligence team.
1.6 Strategically map out your threat intelligence process.
2.1 Design a threat intelligence collection strategy.
2.2 Normalize intelligence by adopting industry-recommended standards and languages.
2.3 Understand the different collection solutions to identify which best supports your needs.
2.4 Ensure your collection methods produce actionable data.
3.1 Understand the threat intelligence analysis process and responsibilities.
3.2 Optimize the analysis process to increase operational efficiency.
3.3 Act on the gathered intelligence.
3.4 Develop top-priority intelligence runbooks.
3.5 Establish a comprehensive threat knowledge portal.
4.1 Understand the value of intelligence dissemination.
4.2 Begin producing actionable intelligence alerts, reports, and briefings.
4.3 Develop a continuous improvement cycle.
Guided Implementations
Project kick-off call
Plan your ideal target state
Conduct organizational intelligence needs assessment
Map internal/external data sourcing to intelligence needs
Optimize your analysis process
Develop an intelligence action plan
Design an intelligence collaboration plan
Facilitate delivery of the cyber attack simulation
Onsite Workshop
Module 1:
Plan your threat intelligence program
Module 2:
Align your internal/external data sources to your organization-specific intelligence needs
Module 3:
Formalize your intelligence analysis and action plan
Module 4:
Develop an effective intelligence collaboration program
Phase 1 Results:
A formalized plan for standing up a threat intelligence program.
Phase 2 Results:
A plan to better leverage internal security controls by enhancing with external threat intelligence.
Phase 3 Results:
Established intelligence analysis and action
plan.
Phase 4 Results:
A method for internal and external intelligence dissemination.

12. Info-Tech Research Group Helps IT Professionals To:
Quickly get up to speed with new technologies
Make the right technology purchasing decisions – fast
Deliver critical IT projects, on time and within budget
Manage business expectations
Justify IT spending and prove the value of IT
Train IT staff and effectively manage an IT department
Sign up for free trial membership to get practical
solutions for your IT challenges
“Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment.
- ARCS Commercial Mortgage Co., LP
Toll Free: