Following a threat intelligence lifecycle is a best practice, but many organizations have process bottlenecks that impact their entire program. In my last CSO article, I looked at a few challenges related to enterprise threat intelligence programs. Security pros pointed to issues like dealing with too many manual processes, sorting through noisy threat intelligence feeds, establishing clear ROI benefits, and managing threat intelligence programs that are little more than an academic exercise for the cyber-threat intelligence (CTI) team.6 phases of an effective threat intelligence programGiven these pervasive challenges, it’s logical to ask: What does a strong threat intelligence program look like? While different organizations may answer this question with their own unique perspective, one common trait is that successful CTI programs follow an established threat intelligence lifecycle across six phases. (Note: Some threat intelligence lifecycle models are composed of five phases as they combine items 5 and 6 below):Planning and direction: At the start of a CTI program, threat analysts meet with executives, line-of-business managers, CISOs, and security teams to define priority intelligence requirements (PIRs). Militaries define PIRs as, “an intelligence requirement associated with a decision that will critically affect the overall success of the command’s mission.” From a cybersecurity perspective, a PIR could be aligned with protecting critical business systems from adversaries targeting similar systems across an industry or region.Collection: Based on PIR priorities, threat analysts determine the intelligence they need and how to obtain it. They then proceed with data collection accordingly.Processing: Once the data is collected it needs to be collated, organized, de-duplicated, and checked for data integrity. Effectively, this is the data management phase that translates threat data into human and machine-readable threat intelligence based on risk, urgency, and priority.Analysis: This is where threat analysts earn their pay. The goal here is to comb through threat intelligence data, looking at adversary chatter, behavior, and the tactics, techniques, and procedures (TTPs) they are using for cyber-attacks. Analysis efforts should be lock-step with high priority PIRs.Dissemination: After analyzing CTI based on PIRs, threat analysts compose and distribute reports tailored to the needs of individual consumers across the business, IT, security, and other areas. These reports should be used as inputs for business (M&A, third-party risk management, etc.) and technology (security investments, controls, user entitlements, etc.) decisions.Feedback: Future threat analysts’ activities should be driven by feedback from CTI consumers. Were reports accurate and timely or did they miss the mark? How could they be upgraded? The goal here is continuous improvement.Following a CTI lifecycle is a best practice, and many companies adhere to this model. According to recent ESG research, 72% of enterprise organizations (those with 1,000 employees or more) have a formal CTI lifecycle model, 24% follow an informal CTI lifecycle model, and 4% don’t have a CTI lifecycle model but plan on creating one over the next 12 to 18 months.Roadblocks to threat intelligence best practicesThere is good and bad news here. The good news is that most firms recognize CTI best practices by following a threat intelligence lifecycle. The bad news is that many organizations struggle in one or many of the lifecycle phases described above. ESG asked 364 enterprise security professionals which of the six phases was most problematic at their organization. The data reveals: Twenty-one percent struggle in the analysis phase. It’s likely organizations don’t have the right data, are overwhelmed with too much data, or don’t have the right analytics skills.Eighteen percent struggle in the feedback phase. In this case, threat intelligence consumers are getting useless reports, or they don’t care enough to work with the CTI team on making the process more effective.Seventeen percent struggle in the collection phase. Typically, this means that threat analysts don’t know what to collect or adopt a ‘more is better’ strategy and are buried by intelligence volume. It may also indicate that they don’t have clear PIRs from intelligence consumers, so they are winging it a bit.Sixteen percent struggle in the production phase. This is likely a technology problem. My guess is that these organizations don’t have the right tools to collect, organize, and manage CTI at scale.Fifteen percent struggle in the planning phase. Clearly, these firms don’t have the right working relationship between CTI analysts and consumers, thus they never establish the right PIRs to begin with. These programs are doomed from the start.Twelve percent struggle in the dissemination phase. CTI consumers want timely and accurate reports for analysis and decision making. If the CTI team can’t create and distribute them succinctly, they won’t be very valuable.Enterprise CISOs may be proud of the fact that they’ve invested in CTI lifecycles, but they shouldn’t rest on their laurels. A successful program must be optimized and well-coordinated across all six phases based on upfront PIRs and a continuous feedback loop. CTI lifecycles are a prime example of the saying, “The whole is greater than the sum of its parts.” To optimize CTI program benefits, CISOs must assess CTI lifecycles in detail to uncover and fix process bottlenecks through ALL six phases. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe