Beyond Feeds: Put Threat Intel to WorkDeloitte's Parthasarathy Shares Practical End-To-End Threat Intel Lifecycle
CISOs today have more intel available than ever before - more than they know what to do with. But how can they make it all actionable? Where do they begin?
Buying the latest, and shiniest black boxes is all very well, but unless this technology and intel is tuned into real-world business specific risks and context, they can induce a false sense of security, believes Shree Parthasarathy, Partner and National Leader Cyber Risk & Security Services at Deloitte India.
"The implementations of SIEMs in Indian enterprises today, for instance, are mostly technical implementations, with out-of-the-box use cases which a typical technology provider delivers, and it is not properly customized to the organization's specific risks and business context," he says.
What happens in these scenarios is that a false sense of security is created, and at the same time the organization is inundated with data - alerts and false positives, he says. When organizations can't process this information, they start ignoring it and go into denial, he says. (See: The New Economics Of Cybersecurity Risk)
The situation with a typical organization's threat intelligence lifecycle is much the same. To make it effective and actionable, an organization must take stock of where its crown jewels really are. The two primary sources of intelligence come from:
- External threat intelligence feeds, which could be global, national or underground commercial, and which need to be contextualized to an organizations threat profile to make it actionable.
- Information from various sources within the organization that needs to be properly integrated into the threat lifecycle. Whether it's from patch management, vulnerability management, the identity and access governance piece, risk assessments, vendor risk management - all of these are going to present patterns that tell a story. (See: 4 steps Toward Advancing Your Threat Intelligence Program)
Every piece of data being reported is legitimate threat intel. First look at how information is flowing across the organization's perimeters and then start looking at the fundamental building block - which is data and how it is being captured. (See: 3 Waves of Threat Intelligence)
"Formulating a holistic strategy requires proper context, to map intelligence - which is abstract; and pump it into your organization's specific use-cases in your SIEMs and other technology and tools that you may possibly be having," he says. "I have an antidote, but I need to know where I can apply it." (See: Hugh Thompson on Simplifying Security")
In this exclusive audio interview with ISMG (link to player below image), Parthasarathy talks in depth about the common pitfalls and shortcomings when it comes to an organization's threat intelligence lifecycle and a practical approach to actionable threat intelligence. He discusses:
- Common gaps and how to address them;
- Identifying sources of Intelligence;
- A five-step process for effective implementation and operationalization of a threat intelligence lifecycle.
Parthasarathy is partner and national leader for cyber risk and security at Deloitte, and has more than 20 years of experience in developing, managing and advising global enterprise clients on technology, security, risk management and compliance matters. He is responsible for product development/innovation, service delivery, business development, client relationship & P&L management. He has consulted and provided solutions in the areas of enterprise business/technology strategy, business process optimization/re-engineering, enterprise infrastructure design and optimization, establishing and managing global business and technology operations, and change management