We asked some of the Senior Leaders at ThreatConnect, whose teams’ spend a lot of time with enterprises, to give their insights on how an organization can prepare for a TI Ops Platform project. We think these insights will give some ‘hacks’ to be successful in selecting, gaining support (e.g., budget and resources), and delivering a Platform for their cyber threat intel teams.
- Lara Meadows, VP of Sales Engineering, on planning carefully to establish and update PIRs, determine intelligence needs and recipients, consider third-party tools, and identify reporting requirements for a successful TI Ops program.
- Dan Cole, VP of Product, on a defined set of PIRs is critical for a solid TI Ops platform, which can inform technology choices and secure buy-in from stakeholders.
- Jody Caldwell, VP of Customer Success, on proper planning, identifying project participants, and prioritizing tasks to enable an Ops team to get the quickest value from the platform.
- Toby Bussa, VP of Product Marketing, on spending time understanding and measuring critical pain points to set evaluation and implementation success criteria for new solutions.
Lara Meadows – VP of Sales Engineering
Planning is one of the most important and often overlooked steps in growing a successful TI Ops program. It should be the backbone of every cybersecurity organization because every cybersecurity team member and every security tool is only as relevant as the latest intelligence being provided to them.
For this reason, as part of planning, before even thinking of a Platform, it’s important to understand the following;
- Do you have established and documented priority intelligence requirements (PIRs)?
- How often are PIRs reviewed and updated?
- What type of intelligence is needed (threat actors, IOCs, deep web, dark web, etc.)?
- Who (and which tools) will be receiving the intelligence?
- What format does intel need to be in for third-party tools?
- Will third-party tools automatically provide intel BACK to your TI Ops team for new and unknown threats?
- What type of reporting is needed for all the various security teams (executive briefings, detailed analyst notes), and who will be the recipients?
Having answers to these questions will build the foundation for an incredible TI Ops program allowing your intelligence to be the lifeblood of your entire security program, and giving you the foundation to construct robust, stakeholder-aligned requirements for a TI Ops Platform.
Dan Cole – VP of Product
To start, having a defined set of PIRs is critical. A solid TI Ops platform enables teams to address these PIRs more effectively and efficiently, ultimately providing a stronger security posture for the organization. By identifying and prioritizing these requirements, security architects and engineers can better demonstrate the platform’s value and ensure that it meets the specific needs of their organization.
PIRs can also inform technology choices. Teams should have a thorough understanding of the software tools they will be integrating into the TI Ops platform, and how those tools help them address their PIRs. This includes being familiar with their features, capabilities, and limitations. By knowing the tools inside and out, teams can make more informed decisions and better advocate for the value of the platform to their organization. Which intel feeds will they ingest? What analysis tools will they bring to bear? What tools do their stakeholders need the intel disseminated to?
Another essential aspect of preparing for a TI Ops Platform project is securing strong buy-in from stakeholders, such as leadership and the Security Operations Center (SOC). This support can be vital in securing the necessary budget and resources for the project, as well as driving strong adoption. To achieve this, architects and engineers should clearly communicate the benefits of the TI Ops platform and demonstrate how it will help the organization address its unique challenges and goals.
Jody Caldwell – VP of Customer Success
Planning any large project always takes time and resources. Having and implementing a plan is crucial to getting the project off the ground and having forward momentum. Being on the customer delivery side of the house, this is something that we work with customers on so they are adequately prepared. This process starts with our initial kickoff call.
Ideally, customers have a thorough set of requirements to address their operational, strategic, and business needs. This enables them to know specifically how they intend to use the platform to meet their desired needs. Planning should always include identifying what feeds, integrations, and processes are going to be a part of the day-to-day operational workflow.
Planning also needs to ensure the right project participants are identified and engaged, e.g., analysts, project managers, and leaders. The most successful teams always have a game plan, and that includes identifying a point person for the project. This doesn’t always have to be a project manner but someone that can help align internal tasks and priorities. This could include working with network and application engineers, developers, and end users. When all of these things are documented, and prioritized it enables a TI Ops team to get the quickest value from the platform.
Toby Bussa – VP of Product Marketing
I heard it in the numerous conversations I had as a Gartner Analyst, whether it was about SIEM, SOAR, TIP, etc. Spending time in the preparation phase is absolutely critical to successfully delivering a new solution. So what would be my top recommendation?
Know the most critical pain points you’re solving for, and make sure you have metrics. When I spoke with someone who didn’t know these, and if there were no measures, or they were qualitative, not quantitative, my advice was “start measuring.” Perfection isn’t critical, but having quantifiable data allows you to know what your starting point is, and to have a conversation with stakeholders on where they want to be (i.e., we want to see an improvement of X% in 6 months). If you’re looking to improve the time it takes to disseminate indicators to your downstream security tools, then you need to know how long the process takes. Spend 30 days getting sufficient data points, then use these metrics to set evaluation and implementation success criteria, and keep measuring while you progress the project. By the time you’re doing an evaluation of Platforms, you’ll probably have 60-90 days of quantitative measures. The happiest customers I see are the ones that can say, “We started here at X, we demonstrated that the solution will help us achieve at least Y, and 90 days after being implemented, we actually delivered Z, besting our goal by this percentage.”
The Bottom Line
Be Prepared! It’s simple to say, but being prepared before even speaking with vendors is critical. You need to have a robust project plan that documents the following:
- Requirements aligned with stakeholders,
- Clear and agreed goals for the Platform,
- Relevant metrics that measure the current state, and
- How you are going to demonstrate success for evaluation and post-implementation of the Platform.
With these items in hand, before you start your vendor evaluation and selection process, you’ll be well prepared to defend the purchase of a TI Ops Platform, get your budget, and make the TI Ops team very, very happy.