Monday, November 2, 2015

Where in the org chart does your Threat Intel team belong?

I didn't think this was really an issue, but two recent experiences have proven me wrong.  Although organized infosec threat intelligence teams are relatively new, business intelligence teams have been around roughly as long as business.  At Rendition Infosec, I always advise clients that any threat intelligence program needs to understand business context in order to succeed.  This makes integration with the business intelligence teams a natural synergy, even if the data collection and processing methods are different for cyber threat intelligence (CTI).

The other place in the organizational structure where a threat intel team makes sense is working closely with the SOC and IR teams.  The CTI team can provide indicators to search for, advise in tuning the SIEM and other devices to minimize false positives, and provide good overall value for the security dollars spent.

So where shouldn't you place your threat intel team?  Two places I've seen them fail recently is under vulnerability management (VM) and governance risk and compliance (GRC).  The logic provided for attaching the CTI team to the VM team was that CTI often notified the organization of new zero day threats being used in the wild (e.g. Pawnstorm attacking flash, again) and these should be better understood by the VM team. On the GRC side, the organization figured that if there was a threat identified by CTI, that GRC should create policies to prevent the threat actor from being effective.

Both VM and GRC sound almost sane, but neither is a logical home for a CTI team.  This isn't to say that the CTI team can't provide value to both GRC and VM, but simply doesn't line up best there.  And the org chart matters.  Units that fall at the wrong place in the org chart consistently see their budgets slashed and results marginalized.  And that's not because they aren't doing great work, only because they had the misfortune of working in a sub-optimal reporting chain.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.