Threat intelligence is like food for malnourished risk models. The standard fare for risk models is input like high-medium-low and red-yellow-green, so we shouldn’t be surprised when they don’t mature and perform as we need them to. It goes like this. Good intelligence makes smarter models; smarter models inform decisions; informed decisions drive better practice; better practice improves risk posture, and that, done efficiently, ultimately makes a successful security programme.
However, before we delve into how threat intelligence relates to the risk management process, it’s important to remember that intelligence is itself a process. It is a basic cycle that includes direction, collection, processing, analysis, dissemination and feedback and it is vital to understand that when applying it to your overall risk models.
Working hand in hand: Intelligence within the risk management process
Over the last few years, the risk management process has had a few variations. The recent Cybersecurity Framework, offers the simple definition of identifying, assessing and responding to risk. The stated purpose of the framework is to complement rather than replace an organisation’s risk management process and, as such, doesn’t get too descriptive about the process itself. However, to ensure organisations can identify where intelligence fits within that process, exploring a dedicated risk management framework will prove beneficial. This is when NIST SP 800-39 comes into play. Understanding and learning about NIST SP 800-39 can be beneficial in understanding best practice when it comes to risk management.
The NIST SP 800-39 Risk Management Process
NIST 800-39 is a special publication created by the US National Institute of Technology (NIST) that was developed to provide guidance for an integrated, organisation-wide programme for managing information security risk. It presents risk management as a comprehensive process requiring organisations to frame, assess, respond and monitor risk on an ongoing basis using effective communications and feedback for continuous improvement of security activities. Exploring this framework will allow organisations to ensure they remain on track when managing the risks in their programmes.
Frame establishes the context for risk-based decisions and strategy for execution in the areas of assessment, monitoring, and response. Part of this requires that organisations identify assumptions about threats, likelihood of occurrence, vulnerabilities, and consequences. Describing the sources and methods for acquiring threat information is specifically stated as a main output of risk framing and a main input to risk assessment. This corresponds well to the direction phase of the intelligence cycle, and gives a starting point for collaboration between risk and intel teams.
Assess encompasses everything done to analyse and determine the level of risk to the organisation. Threat intelligence has a clear and critical role here in helping risk management to identify, assess, and track threats as well as evaluate existing vulnerabilities in light of those threats.
Respond addresses what organisations choose to do once risk has been assessed and determined. They identify and evaluate various courses of action, determine which are best, and implement the chosen course of action. While not as obvious as the previous two components, intelligence does offer value here. Evaluating the effectiveness of proposed courses of action is very difficult without a good understanding of the motives, means, and methods of the threat being addressed.
Monitor involves verifying proper implementation, measuring ongoing effectiveness, tracking changes that impact effectiveness or risk. The role of intelligence here is an extension and continuation of the previous response component. In other words, it’s not intel’s job to monitor internal system/control changes directly, but they certainly should be monitoring external threat changes that may necessitate internal system/control changes.
It is obvious that threat intelligence plays a large and important role in any organisation’s overall risk management strategy. Having the right information in place will allow the C-suite to prioritise certain resources and in turn will allow organisations to develop strategies to strengthen their security programme.