Skip to main content

Five Things to Consider for a Successful Intelligence Team - Part 5

September 04, 2014

#5 - Make it Operational

The previous four parts in this series have covered subjects necessary to make an intelligence staff a successful endeavor for an enterprise. In this final piece, I want to concentrate on how to pull it all together and make the team operational.

As stated in Part 1: Invest in the Proper People and Tools, “Threat intelligence in our industry is evolving. Going beyond vulnerability and threat feeds is a must.” The main takeaway is to bring context to your data. The best way to gain context is through analysis - human analysis. The analyst will be able to provide insights that a firewall, proxy or SIEM cannot. He or she will be able to discern if a threat is valid to an organization and provide an assessment that will enable judgment-based decisions. That is actionable, and that is what intelligence is all about. So how does an organization get to that point?

Levels of Intelligence

There are three roles of support that the intelligence function will deliver for the organization, known as the intelligence levels of effort. Each of these levels has a unique purpose when delivered and provides a well-rounded and comprehensive look at the overall threat landscape you face.

Successful Intelligence Team 1.1

When first developing or instituting an intelligence capability within an organization, the main focus should be on strategic intelligence. This level of intelligence is tailored to deal with more long-term analysis of threats or problems that an organization will face based upon its size, industry vertical and current state of the information security program. It will also feed operations and senior leadership the necessary intelligence in the areas of policy, planning and resource allocation to complete the following two levels.

Operational intelligence is where the intelligence staff supports the daily processes of the security team. At this stage, the intelligence staff should concentrate on providing direct support for operations in the form of finished intelligence products that contribute to the protection of information and assets. This includes products on current and emerging threats and is delivered in the form of IDS/IPS signatures, YARA rules, threat actor profiles and up-to-date information stemming from malware analysis and industry trends.

Tactical intelligence is structured towards support for ongoing investigations and incident response in the case of an intrusion or breach of the organization. The intelligence team should provide current and time-sensitive intelligence surrounding the specifics of the incident, exploit or threat. The production of finished intelligence in this stage is limited to the Post-Incident Activity component of the incident response plan, and all intelligence communications to the incident response team should be tailored for quick consumption and action.

The Intelligence Cycle

If you are familiar with any of our previous articles, you will know that we always go back to the intelligence cycle. The intelligence cycle allows analysts to focus their collection and analysis on the specific threats that an organization faces. The great thing about it being a cycle is it can be instituted at all three of the “Intelligence Levels of Effort”.

Inside the intelligence cycle, we can see how the previous four parts can be applied.Successful Intelligence 2.1

  1. The proper people and tools will allow for sound requirements to be developed and enable analysis and production.
  2. DEVOPS will assist in collection and analysis as long as the right tools are appropriated or built.
  3. Open communication channels will assist in both requirements generation and proper dissemination of finished intelligence.
  4. Sharing among the community can hit all four parts.

Make It So

To end, if you have a security shop, odds are you currently perform intelligence operations. With some fine tuning on people, processes and technology covered in this series, you can embark on having intelligence-driven operations. Invest in your people and the tools they need. Encourage internal development. Allow them to communicate openly, both internally and externally. Adopt a proven methodology. Make it so!

Successful Intelligence 3.1

Previous Installments


    Danny Pickens

By: Danny Pickens

Senior Director, Theat Management Operations

See More

Related Blogs

July 17, 2014

Five Things to Consider for a Successful Intelligence Team - Part 1

I’ve had the opportunity to travel a bit and “evangelize” about Intelligence - what it is and the basic methodology surrounding it. The “Take Away” po...

See Details

July 24, 2014

Five Things to Consider for a Successful Intelligence Team - Part 2

In Part 1 of this series, I covered the need to invest in the proper people and tools for the intelligence team. This consisted of identifying those w...

See Details

July 31, 2014

Five Things to Consider for a Successful Intelligence Team - Part 3

Part 1 and Part 2 of this series concentrated on people, tools and encouraging DEVOPS. All of these are great considerations when building or beginnin...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

July 29, 2016

2016 Cyber Threat Intelligence

Learn how Optiv’s cyber threat intelligence solution helps clients improve their threat response approach.

See Details

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

April 19, 2018

Cyber Threat Intelligence-as-a-Service

Learn how Optiv’s Cyber Threat Intelligence-as-a-Service solution provides you with an advanced "beyond the perimeter" capability as a part of your cy...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.