The structure of security teams looks different at every organization depending on the industry, size and needs of the business. Threat intelligence, in particular, is still a relatively new function in the security organization and therefore looks different depending on where you go. Some organizations place threat intelligence under the director of a CISO or CSO while others fall under the CTO or IT function of an organization. If your organization is currently working to stand up a threat intelligence team and struggling to find the right placement, consider the core intelligence requirements you are trying to meet. While there is no exact standard for the make up of a threat intelligence team, groups like the SANS Institute have developed strong frameworks for the types of functions required for a cyber threat intelligence team to be successful. Considering the cybersecurity skills gap, it’s critical to have the right people in the right positions to effectively use limited staff and resources. In this piece, we’ll discuss the core four functions necessary for strong threat intelligence services. How does your threat intel team compare?
Preventative Threat Intelligence Function
In order to effectively address threats, you must maintain a team focused on monitoring, generating and triaging alerts. The preventative function of a threat intelligence team is often made up of a Security Operations Center (SOC) team. The SOC offers a centralized hub for monitoring and incident response. Members of the preventative function own the monitoring component – generating and escalating alerts in order to provide critical information to the rest of the threat intelligence team and elsewhere within the organization. This function also communicates with the vulnerability and risk management team in order to inform vulnerability prioritization efforts. Through alert analysis and triage, the preventive function provides enrichments to associated indicators of compromise (IOCs) as well.
Strong communication between the preventative function and the incident response team is key to prioritize which threats require immediate action. One example of such collaboration would be in anti-phishing protection. The preventative function would review a malicious email, post or domain for evidence of phishing, conducting phishing link analysis to determine the legitimacy of the threat prior to passing it off to the incident response team.
Incident Response Function
The incidence response arm of a threat intelligence team is focused on facilitating the sharing of information between the other functions as well as to other internal teams at the organization. Larger enterprises may maintain both a threat intelligence team and dedicated incident response team. In these cases, the incident response arm of the threat intel team supports the IR team on specific threats, providing additional intelligence in order to appropriately address threats.
One of the core components of the incident response function is information sharing. Through IOC enrichment and the coordination of mitigation efforts, this team is responsible for responding to threats and informing the team on the status and effectiveness of those responses.
Strategic Support Function
While the preventative and incident response functions provide tactical support to identify and mitigate threats, an additional function is needed for strategic decision making and prioritization. Members of the strategic support function are tasked with business-level decisions, working with leadership and other departments to understand the larger impacts a potential threat could have, such as revenue damage, loss of customer trust or data.
This function also helps assign resources to specific projects and threats. Since many threat intelligence teams run lean, it’s important that the limited resources in both staff and technology are used to address the most critical issues that will have significant impact on the business as a whole. The strategic support function also conducts planning and prioritization of projects on a biweekly sprint, quarterly and annual basis to keep the entire threat intelligence team focused and effective.
External Threat Intelligence Services
Whether you maintain a small team of threat researchers or a full scale threat intelligence operation, maintaining an external support function in the form of external technology and managed services will improve your team’s effectiveness and save limited resources. Working with a threat intelligence services provider not only gives your team access to threat data, IOCs and ongoing alerts, but provides you with an extended team of threat analysts and researchers to help with the preventative, incident response and strategic support functions of your threat intelligence team.
Digital Risk Protection Services solutions include access to a team of threat analysts who triage and escalate all alerts, creating custom workflows that align directly with your preventative team’s standard processes and procedures. Using an external team can help your organization operationalize the identification and mitigation process. Takedown experts can provide remediation services to save your incident response team valuable time and resources.
While the external support function should not replace one of your internal functions, it is a valuable asset for extending the capabilities of your threat intelligence team to achieve two top threat intelligence goals: to prioritize critical threats and make strategic decisions.
How does your threat intelligence team structure compare?