- Chris Cochran
As I stepped off the stage I was greeted by a few conference attendees. Some just wanted to convey they liked the talk, while others had questions about my threat intelligence EASY Button, a framework for operationalizing threat intelligence. But one person stood out from the rest. She said, “Great talk, Chris! But I am afraid you aren’t thinking big enough for the EASY button.” I had the sudden feeling of wanting to pick my heart up off of the floor. “Please do not take offense,” she continued. “It’s not that the EASY framework does not work for intelligence, but have you thought about applying the framework to other facets of cybersecurity?” And that is when it hit me like a truck. While the framework works well for threat intelligence, individuals building and optimizing an entire security program could easily use this for their programs.
I have spent my entire career in the intelligence field. I even had my own consulting firm for a few years, where all I did was build threat intelligence capabilities. After a while, I found myself repeating the same advice over and over again. I began to wonder, “Wouldn’t it be great to have a button that someone could press to guide them to building a high functioning threat intelligence program?” And from that question the “Threat Intelligence EASY Button” was created. The pillars of the framework are as follows:
- Elicit Requirements
- Assess Collection Plan
- Strive for Impact
- Yield to Feedback
It is a very simple and practical guide for intelligence, but can we apply it to building a cybersecurity program like my colleague pointed out? Let’s dive in.
Requirements are the foundation for any threat intelligence program. These requirements drive the research analysts conduct to support stakeholders with actionable intelligence. Eliciting requirements for a security program would be much more broad, but very similar. The question is simple: “What does the program need to help protect?” The organization could have valuable data it maintains such as client/ customer data or proprietary information. There could be business operations that if degraded or disrupted, could cost the organization revenue. It could simply be the company’s website that must remain available during the launch of a new product. These are examples of critical assets that must be protected. Once you know what you want to protect, next you will need to gauge the visibility of the internal and external environment.
Assess Collection Plan
For the intelligence button, this pillar was about threat feeds and other data for analysis. For a security program, this concept is more complex. The threat feeds/ intelligence on threats still applies for a security program. One must have an idea of the threats your organization and industry faces. But in this context, one must also understand the data that surrounds the critical assets discovered in the first pillar. This data can include types of logs, records and other metrics to be used for security analysis and health checks. It can be harder than it sounds. Figuring out what data you have, gathering the data in an automated way, storing this data, and enabling analysis is a tough but valuable journey to undertake. Once you understand this pillar to some degree, it’s time to have fun with impact.
Strive for Impact
I may be biased, but I believe that intelligence is a driver for security operations. Intelligence provides threat context to enable the decision makers to close gaps in security. The beautiful part of applying this to the entire security program is that you are the force executing the actions needed to close these gaps. This is where we look to hire talent and bring on vendors and services. We want to strike a balance of security while maintaining the usability that the stakeholders around the company requires. Many times the best way for a security program to show impact is with metrics. Work with your stakeholders to ensure the metrics you capture are relevant and scalable through automation or some other means. While metrics can be a form of feedback, we still want feedback from our stakeholders.
Yield to Feedback
All service-centric functions would benefit from feedback. This includes intelligence and the security program. Feedback is a gift and the best way to iteratively improve your program. If you are receiving constructive feedback about the security program form a stakeholder, something needs to take place in order to realign. Even if the stakeholder is misguided, there is still something you must do: speak with them. Some friction could simply be due to a miscommunication. Have a cup of coffee with your stakeholder and listen. Reassure them that you are there to support their mission and have teamwork at the forefront of your mind.
Look at that! She was right. I hope this framework can serve as a touchstone for your security operations. Whether you are building a program or looking to optimize operations, realize that it is a marathon and not a sprint and that there are several of us out there fighting the same fight. We have to stick together.
Chris Cochran is a prominent leader in the cybersecurity space. During the day, he leads threat intelligence in Silicon Valley and at night he hosts his SecDevOps.AI podcast. The best way to follow his journey is via LinkedIn.
Learn More about Cybersecurity Best Practices
Interested in learning more about cybersecurity? At DevGuild: Enterprise Security, we brought together CISOs and security leaders to discuss the distinct challenges faced by developer companies. Watch the sessions here and check out other security content in the Heavybit library.