Someone like you (Van Morrison version)

Forming a threat intelligence team, as a supplement or specialized subset of the security team, requires not only a particular set of skills that may be outside security’s traditional core competency, but also more bodies to fill those roles. In security, where human resources are tight to begin with, thinking about where you’re going to find the best individuals to staff a threat intelligence team can quickly turn into a headache.

During MISTI’s Threat Intelligence Summit 2016 in New Orleans, Louisiana, Tim Callahan, event chair and SVP & CISO at Aflac, presented a talk on “Staffing for a Threat Management Program.” As a security leader who has built a global team, Callahan offered some practical advice to others who might be struggling with the notion or the reality.

I’ve been searching a long time

While “threat intelligence” as a term is thrown around liberally inside the industry, it is truly still an emerging discipline. The concept is as old as (military) time, but intelligence as a practice is newer to cybersecurity, particularly the understanding that threat analysts and practitioners have a different forté than security managers/directors/engineers/admins/etc.

When evaluating staffing requirements, Callahan advises CISOs to take a step back and look holistically at the threat program, first gaining an understanding of the organization’s risk exposure, then setting the action plan from there.

The best place to start, said Callahan, is building a partnership with the business. Know what the business values, its goals, and what is considered a risk in their eyes (which may be different than a cybersecurity risk). Next consider how organizational risk exposure—from a cybersecurity perspective—aligns with the company’s strategic goals. “Learning the business’s risk appetite can help you prioritize your actions,” said Callahan.

For someone exactly like you

Once the security and threat intelligence program goals are aligned, Callahan recommends that organizations evaluate contracting for an independent vulnerability assessment or penetration test. In addition to the fact that many companies, smaller ones especially, lack the resources to carry out internal assessments, an external perspective, from experts who aren’t intimately familiar with internal systems and who have a broader view of threats across various types of companies/industries/geographies and environments, can help identify security and operations’ needs—staffing and otherwise. 

When these requirements are defined, that’s when organizations should start to invest in technology and services (if appropriate) that expand the size and capabilities of the threat team. Callahan recommends looking into:

Intelligence sources:

  • Third-party feeds from associations and groups like your industry ISAC
  • Security information and event management (SIEM) log data can be fed into an analytical tool to aggregate and correlate
  • Third-party intelligence providers: not just any one with fancy marketing collateral will do

Analytical tools:

  • Basic security tools with minimal overhead
  • Center on the most persistent threats or those posed by most likely threat actors (for your organization)
  • Focus on forensics

Importantly, when considering new or additional tools and services, security/threat teams should look for providers offering strategic and ongoing support rather than those for which support is an addendum to the contract. Any platform added to the operations/security mix, said Callahan, should provide real-time reporting and alerting capabilities, and optimally have the capacity of stopping attacks anywhere along the vulnerability/exploit cycle.

I’ve been traveling all around the world

Another important consideration for staffing a threat intelligence team is the decision between maintaining an in-house, outsourced, or hybrid team. Larger organizations serving critical infrastructure are more likely to require an in-house team. Smaller, less resourced organizations can operate with outsourced help, but Callahan cautions that “threat intelligence has not commoditized yet; [organizations] can outsource certain functions, but a ‘total package’ service is not yet available.” Most organizations, realistically, will function with a hybrid threat intelligence team, relying on a combination of in-house experts supported by external experts and threat-specific platforms.

When looking for people to fill that internal threat intelligence need, keep in mind that security experience doesn’t necessarily hold up in a threat analyst position. The best threat intelligence professionals are data analysis experts who have a background in technical research. Callahan specifically points to:

Military/Veterans who have experience in security operations centers, security administration, and/or security deployment or monitoring. Military experience demands rigorous discipline and execution, which are also critical to managing an effective threat intelligence program in an enterprise.

Data scientists with deeply honed analytical, pattern recognition, and trend identification abilities. Data scientists might not have direct security experience, but they are capable of uncovering hidden correlations in data and using their skill set to make predications, assessments, and recommendations based on the data rather than any preconceived notions of the security and/or IT environment.

Waiting for you to come through

Your future threat intelligence experts may be individuals hired from external organizations and who come armed and ready with deep analytical experience, or they may be grown internally from your current security/IT team. “Years of experience and knowledge of systems and operations can be groomed,” said Callahan. On the other hand, it’s not wise to shoehorn a security expert into a data analysis role. “Internal teams are already stretched,” warned Callahan, and threats and vulnerabilities are constantly evolving and providing surprises to enterprises. Don’t automatically assume someone with years of security experience will make a great threat analyst, and don’t count out a data scientist who doesn’t have security experience.

Accurately and quickly identifying and conveying data correlations will be the key to stopping threats before they impact the organization. Fill your threat intelligence team with experts who have deep data analysis skills; who cultivate organizational awareness; are business minded; and can communicate, engage, and influence across the entire organization and not just with security staff. The right threat intelligence team and resources will keep the organization’s cyber risk exposure low—which, to the business, is the most important goal of all.