Introduction - How to Define and Build an Effective Cyber Threat Intelligence Capability (2015)

How to Define and Build an Effective Cyber Threat Intelligence Capability (2015)

Chapter 1. Introduction


One of the most important concepts in the world of information security today is defining and building an effective cyber threat-intelligence capability. We discuss the notions of Why, What, How, and Who in order to help readers define how to build an effective cyber threat-intelligence capability.


cyber threat intelligence

cyber threat center

One of the most important concepts in the world of information security today is defining and building an effective Cyber Threat Intelligence capability. To ensure that all the concepts are covered, we have teamed up with Cyveillance, a world leader in cyber intelligence, to create a storyline that covers the following topics.

We start with discussing why the notion of defining an effective capability is so important. As we will see, threat intelligence is one of the buzzwords of the day, but it means different things to different people. As a result, it can end up meaning next to nothing, unless you define it according to your organization’s individual goals.

As a cybersecurity professional, you may have been exposed to the current trend to discuss, plan, or even build and operate some kind of cyber threat center, “super SEIM,” super SOC or whatever your particular organization may have chosen to call it. Despite a lot of buzz, startup money, and industry discussion, what we have seen most often is that there are far more organizations in the “planning” stage, the “thinking about it” stage or the “wondering if it’s a good idea” stage than those successfully operating a functional center, and it is for that larger group, that is, those who are not yet in operation, or are just getting started, for whom this book is intended.

There’s a lot of technical jargon thrown around, but in our opinion, it really boils down to the following: Why, What, How and Who. Each of those elements will be tackled in detail in the following chapters. You will also be introduced to an easy-to-follow process to translate your objectives – or the “why” in colloquial terms – into activities and needs, or the “what.” With this information at hand, you will be able to determine what intelligence you would need on the basis of those objectives, that is, the options available to you to build a program, and how the process can be implemented to make your center or threat intelligence capability a reality.

Another key aspect we cover is an overview of the common landmines that organizations tend to step on. This book will go over the keys to successful implementation, which is really a nice way of saying how to avoid stepping on those landmines! Then, and only then would it be worth discussing who the right vendors, partners, or employees are to build, staff, and run your cyber threat intelligence program.

Last, but not by any means the least, the book will cover reporting and management communication as well as its importance in an effective threat intelligence operation. From there, the conversation will come to an end at the “block and tackle” planning, budgeting, and submitting a request for money stage, without which none of this happens.

Before getting down to the nitty-gritty of cyber threat intelligence, we would like to share a quote. Taken from Lewis Carroll’s Alice in Wonderland, it is part of a conversation between Alice and the Cheshire Cat, but it is also applicable in real life while talking to stakeholders in the planning or thinking stages of building a threat intelligence capability.

Alice: Would you tell me please, which way I ought to go?

The Cat: Well that depends a good deal on where you want to get to.

Alice: I don’t care much where.

The Cat: Then it doesn’t matter which way you go, does it?

Any threat intelligence program that does not support a clear business objective; pursue a well-defined mission that is bounded, scoped and relatively rigid; work within a set of clear expectations in a portfolio of responsibilities that everyone agrees to; and meaningfully report metrics that matter to management and budget holders is doomed, in our opinion, to fail.

These factors are critical to understand at the outset for defining and building a threat intelligence capability. If you do not ensure that these elements are considered, if you do not set out with a clear end state in mind, you are like Alice talking to the Cheshire Cat. If you do not know where you are going, it is easy to meander about, spending time and money, with no clear idea of where you are going, or knowing if you are actually getting any closer to your destination.