The case for operationalizing CTI A common challenge that permeates the industry is how best to make use of CTI: Operationalizing CTI How can an organization go about making CTI relevant and actionable? is necessary to derive • How can an organization integrate relevant and actionable intelligence into security • anything more than a operations? false sense of security Purchasing threat intelligence subscriptions, feeds, and/or reporting does not answer these from having read a questions; neither does installing a cutting-edge threat intelligence platform. Only through report or purchased an the unearthing of an organization’s unique CTI requirements and the designing of custom integration processes can the organization truly operationalize CTI. intelligence feed. However, EY has noted several issues that limit the operationalization of CTI. One issue is a lack of consolidation of intelligence sources (i.e., multiple subscriptions owned by the organization used by different divisions and not shared); another issue is the inability to maintain platforms or integrate intelligence results in shelved appliances; other organizations may have an inability to properly integrate purchased intelligence feeds into security technologies, which limits the ability to use the intelligence purchased in a meaningful way. Intelligence requirements Intelligence requirements are how an organization steers and scopes their CTI efforts in order to ensure they gain the right insight and the ability to operationalize the intelligence. The requirements are speciÕc and singular questions that an organization does not currently have a complete or current answer to and whose answer will add value to the business. Requirements should be developed based on multiple stakeholders operations, concerns and gaps in knowledge. In this way, the intelligence requirements will take on the shape and feel of the organization and become equally unique and diverse. For example, a manufacturing organization with a global presence will have global supply chain-related intelligence requirements, whereas a regional Õnancial organization may not. By identifying speciÔc iuestions that an organization needs answered$ they can target their intelligence collection and production to support operations and decision%macing Intelligence collection should take place both internally and externally to the organization. Internal data collected might include network event data, vulnerability scan data, and incident response reporting. Externally-derived data could include deep and dark web activity, social media and forum discussions, geopolitical news, and third-party reporting on adversaries and their activities. Many companies choose to purchase their externally derived intelligence through subscriptions and feeds. There are so many options and combinations of external and internal data to collect that deciding what to collect or purchase can be daunting. Many 54% organizations end up with data fatigue and signiÕcant amounts of data that they are not of GISS respondents say their information making use of, resulting in an absence of operationalizing CTI. By predeÕning intelligence security strategy is aligned with the requirements, an organization can focus its efforts and determine the most relevant cross organization’s business strategy section of collected sources for the organization. 10 | @ow do you Ônd the criminals before they commit the cybercrime? — A close look at cyber threat intelligence