Skip to main content

The Operational Case for an Intelligence-Driven Security Program (Part 1 of 2)

February 18, 2015

In my last post, I discussed the business case for threat intelligence, and why I believe threat intelligence should be a pivotal part of any modern enterprise security program. In this follow-up I will address the operational aspects of threat intelligence and why it is critical to your security program.

From an operations perspective, there are a few key points where enterprise security can benefit from threat intelligence as a platform. I want to stress that I am speaking about the ecosystem that is data, tools, processes and people. 


I’ve written before that our industry needs to shift our thinking to “assume breach,” but this doesn’t invalidate the need to improve our preventative capabilities. I believe security operations needs to become more intelligent relating to the types of threats we aim to prevent. Rather than trying to prevent all threats to our systems and data, we need to be able to utilize threat intelligence to prevent generic threats, and even some of the targeted threats to our systems.

Generic threats are non-targeted, non-persistent and most often described as opportunistic or “drive-by” infections. Many of the static indicators available through threat intelligence feeds – such as IP addresses, MD5 file-hashes, low-reputation DNS, and more – can help us prevent infections before they make it into the network. When they are fed directly into our infrastructure security devices and endpoint tools, static indicators can reduce the operational tax on human responders.

Many of the targeted threats – the ones specifically aimed at a system, vulnerability, industry or company but not designed to be stealthy or reside on the infection target – can be prevented by using a combination of signatures and static indicators on the same infrastructure and endpoints. Although it is likely there will be a “patient zero,” which cannot be prevented, subsequent infections are entirely preventable with timely, accurate, and contextual threat intelligence.

The point here is that detection is greatly improved with threat intelligence data feeds, even the most basic indicator types. This approach has the potential to seriously impact the amount of time human beings are sent to remediate common malware-based infections, leaving analysts to more complex tasks and reducing overall workload.


Detection of threats to an organization is the new prevention. If we “assume breach,” the goal for the intelligence enterprise security organization becomes to detect any potential infections as quickly as possible. In the prevent step above, we are removing the common malware-based threats, and thus are left with the more complex, customized and targeted threats, at least in theory.

Detection of these threats before they achieve their objective is critical. I believe it’s important to mention (and I will expand on this in a later blog post) that infection is rarely the primary objective for malware or attacks. Attackers don’t waste time and money just to plant a flag on your system like a trip to the top of Everest. There are few instances where the goal is to simply infect; rather, there is a broader objective of stealing credentials, intellectual property, or other sensitive data. It is the objective of the security team to disrupt an attack and prevent achievement of the attacker’s goal. Detection is that mechanism.

Integrating threat intelligence through signatures, static indicators and tactical reports assists the security team in identifying anomalies, and catching and stopping attacks before they achieve their objective. Whether it is through identifying patterns of behavior, connections out to previously non-malicious IP addresses, or something else, rapid detection can mean the difference between being infected with malware, and experiencing a major breach. There is certainly nothing that says security teams cannot achieve this goal without external threat intelligence, but I believe that the chances of successfully thwarting an attacker rise exponentially with good external information. My assertion here is of course a qualitative measure, and an interesting bit of research here would be to perform a quantitative analysis to identify exactly how much better detection becomes.

In my next blog post I will discuss the final operational aspects of threat intelligence: response and recovery.

Related Blogs

July 06, 2017

Indicators of Compromise (IOCs) are Not Intelligence

When discussing the topic of cyber threat intelligence, I frequently hear questions about Indicators of Compromise (IOCs). IOCs are not intelligence b...

See Details

March 15, 2018


Pass-the-hash (PtH) is an all too common form of credentials attack, especially since the advent of a tool called Mimikatz. Using PtH to extract from ...

See Details

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

May 16, 2014

Threat Intelligence - Evaluating Sources | Optiv

One of the highest concerns faced by the intelligence analyst lies in knowing if the assessment they are making hits the mark. As the analyst struggle...

See Details

February 13, 2014

Developing Requirements for Your Intelligence Section

The main way an intelligence analyst begins to create a product is to have a requirement identified to collect against. In a previous blog, “Intellige...

See Details

January 13, 2016

Internet of Things Devices as Intelligence Assets Brief

Internet of Things (IoT) devices are entering the workplace at an astonishing rate, posing new risks to the enterprise.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.