From the clients with THE MOST mature security operations, we learn the so-called “tri-team” model for detection and response:
- SOC – primarily monitoring and threat detection in near real-time, and of course alert triage.
- CSIRT – security incident response
- “Threat something” (no standard name: we heard “theat fusion center”, “threat management center’’”, “threat intelligence team” and many others) – profile threat actors, organize and refine threat intelligence, create internal intel, hunt, etc [in a few cases, in fact, the intel creation and hunting teams were separate too, or hunting was with the CSIRT above]
This model allows for a clean, logical separation – but also collaboration! – between detection/monitoring, response and intelligence functions. It also seems to align well with the skills of the analysts hired for each function (e.g. ex-intel agency people fit into #3). Of course, there are many, many tricks to making it work in real life, and having a 9-digit security budget helps a lot too….
P.S. This post is clearly for:
Blog posts related to threat intelligence:
- Baby’s First Threat Intel Usage Questions
- How a Lower Maturity Security Organization Can Use Threat Intel?
- Threat Intelligence and Operational Agility
- My Threat Intelligence and Threat Assessment Research Papers Publish
- Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)
- On Threat Intelligence Management Platforms
- How to Use Threat Intelligence with Your SIEM?
- On Internally-sourced Threat Intelligence
- Delving into Threat Actor Profiles
- On Threat Intelligence Sources
- How to Make Better Threat Intelligence Out of Threat Intelligence Data?
- On Threat Intelligence Use Cases
- On Broad Types of Threat Intelligence
- Threat Intelligence is NOT Signatures!
- The Conundrum of Two Intelligences!
- On Comparing Threat Intelligence Feeds
- Consumption of Shared Security Data
- From IPs to TTPs