From the clients with THE MOST mature security operations, we learn the so-called “tri-team” model for detection and response:
- SOC – primarily monitoring and threat detection in near real-time, and of course alert triage.
- CSIRT – security incident response
- “Threat something” (no standard name: we heard “theat fusion center”, “threat management center’’”, “threat intelligence team” and many others) – profile threat actors, organize and refine threat intelligence, create internal intel, hunt, etc [in a few cases, in fact, the intel creation and hunting teams were separate too, or hunting was with the CSIRT above]
This model allows for a clean, logical separation – but also collaboration! – between detection/monitoring, response and intelligence functions. It also seems to align well with the skills of the analysts hired for each function (e.g. ex-intel agency people fit into #3). Of course, there are many, many tricks to making it work in real life, and having a 9-digit security budget helps a lot too….
P.S. This post is clearly for:
Blog posts related to threat intelligence:
- Baby’s First Threat Intel Usage Questions
- How a Lower Maturity Security Organization Can Use Threat Intel?
- Threat Intelligence and Operational Agility
- My Threat Intelligence and Threat Assessment Research Papers Publish
- Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)
- On Threat Intelligence Management Platforms
- How to Use Threat Intelligence with Your SIEM?
- On Internally-sourced Threat Intelligence
- Delving into Threat Actor Profiles
- On Threat Intelligence Sources
- How to Make Better Threat Intelligence Out of Threat Intelligence Data?
- On Threat Intelligence Use Cases
- On Broad Types of Threat Intelligence
- Threat Intelligence is NOT Signatures!
- The Conundrum of Two Intelligences!
- On Comparing Threat Intelligence Feeds
- Consumption of Shared Security Data
- From IPs to TTPs
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.