Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3

Video Transcription

00:04
now that we spent some time talking about tactical and operational information sharing, let's talk about strategic information sharing.
00:13
If you recall, the
00:15
tactical and operational timelines are obviously much shorter.
00:19
These could be from a few months, up to a year, a year and 1/2
00:23
where, as a strategic timeline might be 2 to 5 years
00:28
again, depending on who you ask,
00:30
you might want to verify the some of these definitions if there's a standard within your organization.
00:37
Part of the goal with strategic planning is trying to make your business case for a C. T. I program
00:44
in much the same way that you would make a business case for a cybersecurity program of which SETI I's is only a part. Sometimes the support of executives can be a little bit challenging,
00:55
challenging to obtain. That is,
00:58
it's one thing to just provide a budget and say that the program will be funded.
01:03
But it's another to have the moral support and visibility that a true executive champion Kenbrell onto the table.
01:11
A champion or an advocate in this context is is pretty important because it lets other entities within the organization know that this is important activity
01:21
and it should be supported. And, uh, there should be some expectation of cooperation during the times when the
01:30
practitioner needs extra help from other teams. For instance, in the assistance for forensic investigations. What have you The idea of trying to become proactive
01:41
is also a important path to be headed on as we can see from past experience,
01:47
always being reactionary, trying to deal with problems after they've already happened
01:53
is quite often a losing proposition.
01:56
The damage is already done,
01:57
and the analyst or your incident response and other individuals are always playing catch up and trying to figure out
02:06
what they could have done better to prevent this from happening in the first place.
02:09
That's why trying to get on a more proactive footing is so vital.
02:14
And of course, that's also why it's so challenging because it's not easy to
02:19
look at some pattern of behavior and
02:23
make a realistic prediction as to something that's about to happen. Based on past events,
02:28
that is part of the art and science of this line of work, and we've talked about that a little bit in some prior sections.
02:36
The owners of a organization or its highest level leadership are certainly going to need
02:42
a,
02:43
ah, large amount of information or to make an important decision about something so vital as the C T. I program
02:51
you might think about. For Maia
02:53
Senior leadership. Point of view, you might think, Well, what is my return on investment?
02:59
If we take a $1,000,000 let's say and put it into a new program,
03:04
which might include some hardware and software might include staff
03:07
certainly would include some training, whether it's vendor provided training or
03:14
on the job training.
03:15
There is an expectation that this effort will take some time to be productive.
03:23
In addition to the initial cost of a C. T. I program, you also have to think about the total cost of ownership.
03:32
Sometimes you see this variable assigned to
03:38
hard assets like software and hardware
03:42
and other pieces of physical infrastructure.
03:45
But it could also apply to a C T. I program.
03:49
Because of the invent, the investment of hardware and software and staff and training,
03:55
there are expected to be ongoing costs as that program goes through. It's the annual fiscal year. For instance,
04:03
maybe there's an allotment for training
04:05
or an allotment for
04:08
the support agreements that are needed for the software tools or the hardware platforms that are used to
04:15
provide that,
04:17
uh, functionality to the organization.
04:21
So the financial forecasting and strategic sense is certainly important so that appropriate budget levels can be
04:30
dealt with on a year over your basis.
04:34
Other aspects of people that are having their hands on the purse strings, so to speak,
04:42
would be making sure that
04:44
not only is the financial portion acceptable, but also that the information coming back to the organization truly has some value.
04:54
Under ideal circumstances, the organization should
04:59
be building up assurance or confidence in its capabilities to handle
05:03
cyberthreat events.
05:06
Also in its ability to handle the analysis required after an event has happened in order to perform the appropriate
05:14
research and out of and investigation
05:17
to get to a point where there are the
05:21
activity can be more readily recognized
05:24
and more easily prevented.
05:27
And this also would translate well into thinking about reduced response time.
05:32
The time point from on indication of ah problem to a confirmed detection to the actual remediation response should be getting shorter over over each year as the program matures
05:46
that would be expected anyway.
05:48
It's not easy to achieve. There are a lot of factors that are beyond the control of the of the analyst or the security practitioner, and you're really doing the best you can with what you've got available.
06:01
The quality assurance levels as it relates to
06:08
published information or for AH
06:10
intelligence has generated,
06:12
is also something that's difficult to achieve
06:15
As a program matures.
06:17
There is more, hopefully, more reliance on the hard work and dedication of the individuals on the teams
06:27
to produce intelligence that
06:29
can be relied upon. It shone value in the past.
06:31
The practitioners are taking the time to make sure they don't introduce any errors, getting rid of bias and some other things that we talked about it earlier sections.
06:42
When this is done correctly, then it becomes simpler for
06:46
the intelligence against produced two heavy perceived value.
06:51
And this also helps justify budgets for the entire program, which includes a salary of staff, additional training, hardware and software acquisitions and so on.
07:02
One of the easiest ways to
07:05
provide this feedback loop to executive decision makers is
07:10
something as simple as a security status report.
07:14
I talked about security staff supports in earlier sections
07:16
and their overall value theirs
07:20
many different opinions about how often they should be produced. We could think about the two major
07:27
triggers for a security status report that would be a time based trigger or an event based trigger.
07:32
Time based means, of course, that's coming out every day or every week.
07:35
Some other level of reporting might come on every month or every quarter.
07:41
But event these triggers are probably gonna be a lot more common. Where there's been some event,
07:46
some incident
07:47
and a report has to be generated so that
07:50
Mandarin can appropriate,
07:55
not appropriate, but can formulate the correct Reese response.
08:00
And we talked about risk response in earlier sections as well. These air things like accepting the risk, ignoring it, sharing it, transferring it
08:07
and so on.
08:09
So these reports have a lot of value to the organization and cannot be overlooked
08:15
as a way to keep making incremental improvements in the assurance and confidence levels

Up Next

Advanced Cyber Threat Intelligence

The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor