What does it mean to be threat-informed when it comes to Cyber Defence?
It is one of those classic tough questions that don't have simple answers (at least not ones that are immediately obvious). The great Anton Chuvakin circled back to this topic recently. In this article, he asks an excellent question that goes to the heart of the problem:
"...why does everybody seem to support threat-centric security conceptually, but few practice it operationally?"
Operationalizing a threat-centric approach is not a simple undertaking. You must choose between strategic stances for threat intelligence data collection, information assessment, filtering, enrichment and triage.
You may be tempted to assume that the problem of threat-informed or threat-driven cybersecurity is a threat intelligence one, however, at its core, it is a problem of information significance: the dimensions of data provenance, relevance, interoperability, reliability, actionability and timeliness. What does a particular data cluster mean within the context of your organization and how does it inform actionable outcomes?
Ultimately, what we want is for information to be actionable, our threat intelligence pipeline should help improve the actionability gradients of threat-related data that our environment emits, so it can drive security control deployments like detections, mitigations, hardening, etc.
However, the reality we face in most organizations is far from a meaningful information processing pipeline. Most CyberSecOps models out there resemble Rube Goldberg Machines instead of meaningfully articulated data networks. It suffices to ask some of these questions to your hunting, response, SOC, detection engineering or threat intelligence teams to surface the struggles in providing insight as to what constitutes meaningful threat-driven decisions:
Sign up now to read the post and get access to the full library of posts for subscribers only.
Sign up nowAlready have an account? Sign in