InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
While cyber threat intelligence (CTI) and vulnerability management functions should work closely together, they have different objectives:
CTI provides important context that can aid in vulnerability management decisions, because final prioritization considers both the criticality of a vulnerability and the type of threat actors that may be actively exploiting these vulnerabilities in the
real world. But the two play very different roles.
While some firms combine CTI and vulnerability management, that is not always considered a best practice. Because of vulnerability management’s limited resources, CTI analysts can get pulled into day-to-day remediation activities. This could potentially
lead to not enough attention being given to CTI activities. CTI functions should continuously monitor the threat environment, since threats can quickly go from being a routine vulnerability you’ve seen many times to something suddenly being
exploited in the wild and becoming a critical issue.
It isn’t practical to patch everything. When implemented correctly, CTI helps vulnerability management and operations teams put scan results into the context of their organization’s threat landscape. With the proper threat intelligence, it’s
easier to answer simple questions like:
The most effective organizations consider combining internal scanning data with external intelligence to understand which vulnerabilities are being actively exploited and which are not. They then focus efforts on the issues with the highest criticality
and the greatest chance of exploitation. While the two teams need to work closely together, there is little value to be gained by combining them.
Vulnerability management organizations without an effective CTI function at hand sometimes tend to make the mistake of focusing on ranking threats and then remediating by criticality. This “by the numbers” approach tends to adopt classification
systems, such as the Common Vulnerabilities and Exposures (CVE) naming and the Common Vulnerability Scoring System (CVSS) without considering whether threat actors are actively exploiting vulnerabilities or not. The focus is on technical exploitability
rather than on active exploitation. This is where CTI can add the most value.
To be effective, CTI functions should consider avoiding the following:
Allowing CTI to focus on context, the SOC to focus on security monitoring and vulnerability management to focus on the mechanics of security remediation provides the most value for an organization.
No matter where CTI functions report, they must keep communication clear, relevant, actionable and timely. Meaningful threat intelligence provides context, so organizations can take informed action based on risk. Consider the following:
The SOC, vulnerability management and CTI functions need to work in harmony to provide the most value to an organization. Each function has a separate responsibility, but when they communicate and work together, they can provide a tremendous amount of
value by helping an organization focus on the most critical and likely-to-be-exploited issues.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
January 20, 2022
By IANS Faculty
How sound is your data governance program? It all starts with the basics. Learn how to establish a solid foundation for your data governance program.
January 18, 2022
Learn how to put a workable data management and governance process in place.
January 13, 2022
Understand how the three lines of defense work and learn how to apply it properly inside your organization.