• United States




Cyber Threat Intelligence (CTI) – Part 2

Nov 08, 20174 mins
CybercrimeData and Information SecurityNetwork Security

Providing even more clarity to organizations’ cybersecurity programs.

binary monitor tech digital moody hacker threat
Credit: Thinkstock

In part one, I outlined what CTI is and where it can be acquired to demonstrate its value. Here I will dive deeper into how organizations can be efficient in using this tool to mature their security programs’ management of today’s threats. 

After CTI sources for the company’s threat intelligence program have been selected, the CISO now needs to address use cases on how this information can be leveraged to provide value and reduce risk exposure. Use cases for why CTI is important are as follows: 

Improved network security operations 

CTI can be used by the CISO to help improve the performance of the installed technology suite. Next-generation firewalls, IDS/IPS systems and secured web gateways are just some of the technologies that apply rules to block malicious traffic. CTI can be used to validate threat indicators, malware signatures, domain reputations and can help reduce false positives. Using streaming CTI as a service built into these devices the business should be able to take advantage of near real-time threat analysis. 

Patch management prioritization 

Patch management is one of the primary security controls used by all security programs and it is never 100% effective. The process is time consuming and even when using patch management solutions that have been automated to their respective enterprise environments, a CISO will still need to prioritize which patches to apply. This is where CTI can help patch management teams save time. Additionally, CTI can help teams be more efficient by prioritizing patches based on vulnerabilities that are being actively exploited and are applicable to the current business environment, not based on a CVSS score. 

Security operations 

Most enterprise network environments generate more alerts than security operations center (SOC) teams or incident response (IR) teams can properly investigate. Analysts unfortunately triage this deluge of data into events that should be escalated to the IR team; events to investigate when time permits or events that look normal so we will ignore them. In this environment, CTI can be used to provide situational awareness. Risk scores can be attached to threat indicators that will generate a flag in the security operation centers SIEM. This would then alert analysts to query the threat database to investigate a high priority threat anomaly, allowing both teams more efficient use of their time and providing contextual threat data on the events they are investigating. 

Attack/threat analysis 

CTI for this use case can assist IR teams when they are responding to an active cyber incident. When the attack is initially detected, CTI can provide insight into who may be behind the attack, the tactics and tools used to initiate the attack and the likely impact to the organization. I personally have used it during incident response to obtain real-time information to search in triaging the event and recommended procedures to halt the incident and clean up its after effects. 

Triage & remediation 

In this final use case, CTI is used by the IR teams and information security teams to document and uncover the impact of a breach event. Unfortunately, cyber criminals will conduct attacks in waves using multiple tools and techniques. I myself have seen attacks where several types of malware were used together. By using CTI, my teams knew which indicators to look for as we searched through the debris left after the intrusion incident. Using CTI in this final case provides context to security teams so they can quickly search for and remove any attacker’s residual connections from the network.

I hope from this discussion I have provided valid points on why cyber threat intelligence should be used to improve security programs and provide valuable benefits to an organizations’ strategic business operations. I truly believe CTI is a strategic asset and CISO’s need to incorporate it into their security programs and train their teams on how to efficiently use their selected information sources for the betterment of their company.


As Chief Information Security Officer (CISO), Gary Hayslip guides Webroot’s information security program, providing enterprise risk management. He is responsible for the development and implementation of all information security strategies, including the company’s security standards, procedures, and internal controls. Gary also contributes to product strategy, helping to guide the efficacy of Webroot’s security solutions portfolio.

As CISO, his mission includes creating a “risk aware” culture that places high value on securing and protecting customer information entrusted to Webroot. Gary has a record of establishing enterprise information security programs and managing multiple cross-functional network and security teams. Gary is co-author of “CISO Desk Reference Guide: A Practical Guide for CISOs” focused on enabling CISOs to expand their expertise and scope of knowledge.

Gary’s previous information security roles include CISO, Deputy Director of IT and senior network architect roles for the City of San Diego, the U.S. Navy (Active Duty) and as a U.S. Federal Government employee. In these positions he built security programs from the ground up, audited large disparate networks and consolidated and legacy network infrastructure into converged virtualized data centers.

Gary is involved in the cybersecurity and technology start-up communities in San Diego where he is the co-chairman for Cybertech, the parent organization that houses the cyber incubator Cyberhive and the Internet of Things (IoT) incubator iHive. He also serves as a member of the EvoNexus Selection Committee where he is instrumental in reviewing and mentoring cybersecurity and IoT startups. Gary is an active member of the professional organizations ISSA, ISACA, OWASP, and is on the Board of Directors for InfraGuard. Gary holds numerous professional certifications including: CISSP, CISA and CRISC, and holds a Bachelor of Science in Information Systems Management and a Master’s degree in Business Administration. Gary has more than 28 years of experience in information security, enterprise risk management and data privacy.

The opinions expressed in this blog are those of Gary Hayslip and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author