Posted
Authored By: Andrew Dillin, Threat Intelligence Lead – Cyber & Physical at NatWest Group
As we come to the end of the year, a number of us will be working hard to report the tangible change Threat Intelligence has made to the organization over the past year.
We hear a lot about KRI’s and other measures for Threat Intelligence, such as the number of reports issued or IOCs / pieces of intelligence triaged with linked targets or Red, Amber or Green (RAG) status. However, do these drive the right behaviors or activities? I’d suggest not, and I would recommend, not setting a RAG status or monthly target for the number of reports or IOCs worked.
The value of Threat Intelligence can be difficult to measure given the very nature of the activity. So, what are some of the ways to measure Threat Intelligence?
1. Intelligence-Driven Control Changes – the number of times you have enhanced the security posture of the organization either through IOC population into the control suite or through a fundamental change to a control based on an attacker’s techniques.
2. Intelligence Reach – how effectively you are sharing intelligence with key stakeholders. This isn’t the number of reports you have issued but more so that you are reaching the desired audience for your Priority Intelligence Requirements. The percentage of stakeholders attending your monthly briefing call can be a useful metric.
3. Intelligence Product / Service feedback – another slightly less quantitative measure, but it supports the ability to demonstrate that your products are either hitting the mark or need improvement. It is key that Intelligence products remain fresh, engaging and graphically interesting to ensure that intelligence is effectively consumed by stakeholders. We also need to be mindful that, in a lot of cases, these stakeholders are not intelligence professionals, and therefore, the inclusion of source assessments and other intelligence handling should be simplified and easily understood.
4. Proactive Identification of Threats – the number of times you have identified an event before it has been officially reported. This plays well into the 3rd Party Supply Chain space, where you can again point to a change in the security posture of the organization.
5. Intelligence Automation – the time and cost savings driven by automating your Threat Intelligence processes. Leverage your Threat Intelligence Platform to support this.
6. Intelligence Change – It is key not to forget about some of the more fundamental changes that are made to the intelligence function. This can be the expansion of products and services, new capabilities driven through technology, or even training undertaken by the team.
Happy measuring! 📏📐
About the Author: Andrew has over 12 years of experience in fraud and banking security and is now responsible for leading NatWest Group’s Cyber Threat Intelligence function. A respected member of the intelligence community, Andrew’s focus has been on automating intelligence and improving security controls to proactively mitigate cyber threats. He is passionate about collaborating with others and promotes the sharing of security threat information across the financial sector.