‘Threat’ is the big InfoSec word of 2014. Threat, threat intelligence, and threat profiling continue to be common themes palpable at every InfoSec conference this year. It seems like just recently we were talking about our new Red Team and now already we’re already talking about the organization’s new Threat Intelligence unit. Understanding threats is not a new concept; however, this latest approach is increasingly valuable to organizations that understand the value proposition of InfoSec: our ability to estimate how often losses occur and how bad those losses are. (Hey, that’s why you’re reading this blog, right?)
But, there is something happening as organizations build greater threat intelligence capabilities: these new units may become yet another silo set apart from the risk analysts. Too often as I talk to InfoSec professionals about the use of their new threat profiling capabilities in risk analyses I get a response something like this: “hum, that seems like a good idea. I’ll have to ask my counterparts in the risk side if they’re doing that.” Likewise, when I talk to risk analysts about the same topic it elicits a similar response: “you know, that would be great information. I should look into that.” Let’s take a quick look at risk analysis and the value a new specialized threat intel team brings to FAIR analyses.
At the highest layer of abstraction, FAIR decomposes risk into two components: loss event frequency and loss magnitude. (Sound something like the aforementioned value proposition? It should.) As risk analysts it is our responsibility to get all of the right people at the table to understand, document, and articulate these two components of risk. These new threat intelligence units should have a seat at that table when too often they are brought in at the last minute or even discounted. That just won’t cut it.
- First, threat intelligence specialists have key information to help us understand how often losses could occur (Threat Event Frequency).
- The profiles they build help us better understand the individual actors and communities that our organizations defend against.
- Moreover, the information at their fingertips is valuable by providing insight into what type of loss the bad actors want to inflict (relevant to loss magnitude, anybody?)
In RiskCalibrator we provide you with a base group of threat communities to help kick-start your analyses; for instance, Cyber Criminals. But Cyber Criminals can be broken down more specifically into pieces of pizza with lots of different toppings. Cyber threat intelligence professionals are the chefs that help us slice and dice that pizza pie in a way that helps us better understand and measure how much risk we have.
So seek to understand your threat intel people and help them understand you. Cozy up to your new threat intelligence group, invite them to the risk analysis conversation. Inform them on the methodology you use to measure risk (hopefully FAIR). And for goodness sakes buy them a slice of pizza with their favorite toppings because their specialized efforts are going to make your life better as a risk analyst. After all, both groups share in the InfoSec value proposition.