Current intelligence processes support both business operations and security • operations by focusing on getting the most timely data and rapid analysis to various The case for CTI — analysts and stakeholders. Current intelligence analysts are the Õrst line of defense example scenario for identifying relevant external intelligence and routing it to the parties that need to operationalize the intelligence. In this way, current intelligence is pivotal in ensuring With the rapidly changing threat timely operationalization of CTI. landscape and the impact of attacks All levels of intelligence are operationalized into remediation and countermeasure seemingly becoming higher, getting operations. In fact, intelligence-driven countermeasure operations are a guiding principal to ahead of potential attacks and EY’s point of view on 9ctive Defense — a deliberately planned and continuously executed vulnerabilities has been a major win campaign to identify and eradicate hidden attackers and defeat likely threat scenarios for some organizations that have targeting your most critical assets. improved their CTI capabilities. For Intelligence-driven remediation and countermeasure operations include processes that many organizations without insight enable the operationalization of CTI: into what is changing or further, insight into what their own current • Threat intelligence support to incident response plans posture is, getting panicked questions • Alerting upon and recommending actions for vetted current intelligence from executives can make an already • Targeting security operations along the paths of developed threat models. complicated situation that much more stressful. All of these processes will be unique to your organization’s operations and challenges. Q During several of the recent breaches where a speciÕc attack vector or vulnerability has been used, the organizations’ security teams not only CTI program maturity model were able to address those questions, Active Defense but in some cases pre-empt the • How can we mature discussion with a call to state that they Refine processes integration to get ahead? were aware of what was happening, • How can we do it better? Informing business and able to state if they were secure decisions • What should we do? against the speciÕc threat or, if not Data analysis secure, what the teams were doing to • How and why? remediate the situation quickly. Information These types of wins not only reduce sharing Optimized stress for the security team, but also • How and Managed • Generated and with who? • Lessons learned actionable intelligence bolster conÕdence in the abilities of Defined improved performance driving informed Data gathering business decisions the security team. • Who, what • Long-term • Learning how to ask the planning “right“questions • Effective tasking of when? Developing intel assets • Strategic intelligence Initial • Tactical intelligence Identifying requirements • Aligned to business • Security strategy @ow do you Ônd the criminals before they commit the cybercrime? — A close look at cyber threat intelligence | 13