Threat intelligence has been a part of cyber defense processes in the private sector for long.
Many threat intelligence teams were initially composed of classically trained intel operators from the public sector, focusing on gathering data to thwart national security threats.
As they grew and adjusted to protect against customer data breaches and disruptions to services, growing pains in a corporate environment were to be expected.
Expectations are changing, though. Security operations are maturing, and as threats have continued to evolve, enterprises have made significant investments in security infrastructure.
C-suites and boards are now involved in security decisions as studies show increments in security investments expected to rise to $458.9bn in 2025 from $262.4bn in 2021.
But with increased investment comes scrutiny and rigorous competition for dollars across IT and security teams. However, for threat intelligence teams, it appears old habits die hard.
Many remain in the government intel mindset, focused on funneling data to the security operations center with limited experience in extending threat intelligence to other parts of the business, communicating the resulting value and justifying the investment required.
After nearly a decade of threat intelligence going corporate, a reckoning is coming.
It’s time for CISOs and threat intel teams to start working together and prove that threat intelligence is not a cost center, but drives value across all security operations.
Here are 3 strategies to create a mindset shift and demonstrate the full value it provides.
Think of the threat intel team as the providers of a product
Security organisations consist of many different teams. The threat intel team needs to support all these stakeholders with contextualised intelligence for their specific use cases.
Yes, the SOC needs indicators of compromise that have been contextualised to show they are relevant and high priority so they can add them to the watch list for monitoring.
However, other teams need intelligence curated for their purposes as well.
For example, incident response (IR) teams need context around adversaries, campaigns and the infrastructure used so they can accelerate responses.
Threat hunters need details of the campaigns being run and the adversaries’ motivations and tactics so they can look for activity that has bypassed defenses.
Teams need to know the vulnerabilities being targeted in the wild so that if exploits are successful, and if the threat is relevant for the organisation, they can prioritise patching.
Contextualised threat intelligence is a force multiplier, ensuring all teams are focused on relevant, high-priority issues so they can make the best decisions and take the right actions.
Prioritise integration
Deploying and leveraging an open integration architecture is critically essential for automating the dissemination of contextualised threat intelligence across teams and tools.
Bi-directional integration enables access to data from a wide range of internal and external sources to offer context, including systems, tools, vulnerabilities, identities and more.
After analysing and prioritising the data, they can share it with the teams in the security organisation and receive data for continuous collaboration, learning and improvement.
Leveraging and deploying integration with existing infrastructure also facilitates the teams to work with the tools that they already have to drive faster and more accurate action.
With extended detection response (XDR), contextualised and prioritised threat intelligence must flow through all systems effectively and bi-directional integration is imperative.
An open integration architecture to support the flow of data facilitates increasing the efficacy and efficiency of teams and tools across security operations in the organisation.
Formalise executive reporting
As threat intel teams start working more closely with other security teams, they will be able to demonstrate additional value in terms of operational efficiencies.
Chief Information Security Officers (CISOs) will be able to formalise reporting, explaining in greater detail the unique challenges the company faced, how the threat intel team overcame them, the value delivered, lessons learned and how to continue to improve security operations.
Exemplary aspects for consideration
- How and what type of malicious activity was sighted, and the steps taken to contain and remediate it.
- Why you believe certain campaigns could be targeting the organisation and what you are monitoring for.
- How you’re proactively strengthening defenses, such as prioritising patching of vulnerabilities being leveraged by threat actors that may start to target your industry.
A reckoning is coming, so start preparing now.
Delivering curated threat intelligence to more teams that need it, enabled with bi-directional integration, will allow teams to prove that threat intelligence is far from a cost center.
Threat intelligence delivers value that permeates a firm across many initiatives and use cases, empowering teams to work faster and thoroughly in defending against evolving attacks.
Chris Jacob, is the Global Vice President for Threat Intelligence Engineers at ThreatQuotient.
