Reddit reviews Building an Intelligence-Led Security Program
We found 1 Reddit comments about Building an Intelligence-Led Security Program. Here are the top ones, ranked by their Reddit score.
TLDR: Threat Intelligence is the product of a cyclic process where data and information are put in to context producing knowledge about Threats or potential Threats as well as vulnerabilities in your own systems and network.
Network Security Monitoring is a means for collecting data for threat intelligence, but the data collected from netmon tools alone is not threat intelligence before they have been analysed, interpreted, evaluated and put into an context, often by correlating with other data from both internal and external sources.
Short Intro to TI:
To understand what Threat Intelligence is, you need to look at what traditional Intelligence is,
because the concept of Data-Driven Security and Threat Intelligence are basically derived from
that. US DoD define "Intelligence" as:
"The product resulting from the collection, processing, integration, evaluation, analysis and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements or areas of actual or potential operations."
I don't think there exist any really good definitions of Threat Intelligence/Cyber Threat Intelligence yet,
but Rob McMillan at Gartner has a pretty decent one:
"Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard."
Just as traditional Intelligence, we distinguish Threat intelligence into 3 levels, Strategic, Tactical and Operational Intelligence. Strategic Intelligence is made for CxO level management and should basically answer Who wants to attack you, Why they are attacking you and Where the organization is being targeted, this type of Threat Intelligence has long lifetime and can often be used over years. Tactical Intelligence should answer What and When, describing what techniques and methods an attacker uses, at which time he is attacking you et cetera, basically producing a dossier/signature of an threat actor. This Threat Intelligence has shorter lifetime then strategic, because Threat Actors tend to change their techniques and procedures from time to time when new tools arrive. Operational Intelligence provides answers about How you are being attacked, often in the terms what is known as IOC's. Operational Intelligence has really short lifetime, like from a couple of hours to a week, this is because compromised computers tend to be taken of the net and IP addresses, binaries, DNS and such tends to be changes often. Because of this, Operational Intelligence often have high rates of false positives.
I recommend reading: http://www.amazon.com/Building-Intelligence-Led-Security-Program-Allan/dp/0128021454/ its not too deep and cover all the theory basics.