About The Tri-Team Model of SOC, CIRT, “Threat Something”

From the clients with THE MOST mature security operations, we learn the so-called “tri-team” model for detection and response:

1. SOC – primarily monitoring and threat detection in near real-time, and of course alert triage.
2. CSIRT – security incident response
3. “Threat something” (no standard name: we heard “theat fusion center”, “threat management center’’”, “threat intelligence team” and many others) – profile threat actors, organize and refine threat intelligence, create internal intel, hunt, etc [in a few cases, in fact, the intel creation and hunting teams were separate too, or hunting was with the CSIRT above]

This model allows for a clean, logical separation – but also collaboration! – between detection/monitoring, response and intelligence functions. It also seems to align well with the skills of the analysts hired for each function (e.g. ex-intel agency people fit into #3). Of course, there are many, many tricks to making it work in real life, and having a 9-digit security budget helps a lot too….

P.S. This post is clearly for:

Blog posts related to threat intelligence:

• Baby’s First Threat Intel Usage Questions
• How a Lower Maturity Security Organization Can Use Threat Intel?
• Threat Intelligence and Operational Agility
• My Threat Intelligence and Threat Assessment Research Papers Publish
• Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)
• On Threat Intelligence Management Platforms
• How to Use Threat Intelligence with Your SIEM?
• On Internally-sourced Threat Intelligence
• Delving into Threat Actor Profiles
• On Threat Intelligence Sources
• How to Make Better Threat Intelligence Out of Threat Intelligence Data?
• On Threat Intelligence Use Cases
• On Broad Types of Threat Intelligence
• Threat Intelligence is NOT Signatures!
• The Conundrum of Two Intelligences!
• On Comparing Threat Intelligence Feeds
• Consumption of Shared Security Data
• From IPs to TTPs