Here is a bitchingly hard question: how to get organizations to move up the maturity scale of using threat intelligence (TI), from blindly [ok, not always blindly] dropping indicator feeds into tools to [at least] appreciating and utilizing strategic threat intelligence?
Now, a cynicist [and …well…aren’t we all?] may say “why help people who won’t help themselves?” For once, this is my job 🙂 But more importantly, there seem to be enough organizations that want to get there, but don’t see a path – so we can provide that.
In essence, how to teach people addicted to instant noodles to appreciate caviar? BTW, my esteemed colleague have used the caviar metaphor first in his recent TI paper, but as a native Russian I totally own all caviar metaphors! 🙂
So, I touched on why they may not be using better intel in the past, but now the question is: how to get them to? BTW, we are NOT talking about the internally-sourced intel, its value is of course indisputable, but the effort is generally even higher than what we are talking about in this post.
Here is an idea of how to start the journey: look at this TI use cases table. Specifically, the column on strategic intel. Pick ONE box, say “Security architecture and monitoring planning based on long-term threats and relevant actor capabilities” and find THREE ways how it is valuable to your organization. Convinced? Then start doing it… BTW, Augusto has great additional ideas here in this post.
P.S. If this seems incomplete, you are not wrong … as usual, we have to save enough juicy stuff for our upcoming TI paper…
Blog posts related to threat intelligence:
- About The Tri-Team Model of SOC, CIRT, “Threat Something”
- Baby’s First Threat Intel Usage Questions
- How a Lower Maturity Security Organization Can Use Threat Intel?
- Threat Intelligence and Operational Agility
- My Threat Intelligence and Threat Assessment Research Papers Publish (2014)
- Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)
- On Threat Intelligence Management Platforms
- How to Use Threat Intelligence with Your SIEM?
- On Internally-sourced Threat Intelligence
- Delving into Threat Actor Profiles
- On Threat Intelligence Sources
- How to Make Better Threat Intelligence Out of Threat Intelligence Data?
- On Threat Intelligence Use Cases
- On Broad Types of Threat Intelligence
- Threat Intelligence is NOT Signatures!
- The Conundrum of Two Intelligences!
- On Comparing Threat Intelligence Feeds
- Consumption of Shared Security Data
- From IPs to TTPs
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.