Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
While cyber threat intelligence (CTI) and vulnerability management functions should work closely together, they have different objectives:
CTI provides important context that can aid in vulnerability management decisions, because final prioritization considers both the criticality of a vulnerability and the type of threat actors that may be actively exploiting these vulnerabilities in the
real world. But the two play very different roles.
While some firms combine CTI and vulnerability management, that is not always considered a best practice. Because of vulnerability management’s limited resources, CTI analysts can get pulled into day-to-day remediation activities. This could potentially
lead to not enough attention being given to CTI activities. CTI functions should continuously monitor the threat environment, since threats can quickly go from being a routine vulnerability you’ve seen many times to something suddenly being
exploited in the wild and becoming a critical issue.
It isn’t practical to patch everything. When implemented correctly, CTI helps vulnerability management and operations teams put scan results into the context of their organization’s threat landscape. With the proper threat intelligence, it’s
easier to answer simple questions like:
The most effective organizations consider combining internal scanning data with external intelligence to understand which vulnerabilities are being actively exploited and which are not. They then focus efforts on the issues with the highest criticality
and the greatest chance of exploitation. While the two teams need to work closely together, there is little value to be gained by combining them.
Vulnerability management organizations without an effective CTI function at hand sometimes tend to make the mistake of focusing on ranking threats and then remediating by criticality. This “by the numbers” approach tends to adopt classification
systems, such as the Common Vulnerabilities and Exposures (CVE) naming and the Common Vulnerability Scoring System (CVSS) without considering whether threat actors are actively exploiting vulnerabilities or not. The focus is on technical exploitability
rather than on active exploitation. This is where CTI can add the most value.
To be effective, CTI functions should consider avoiding the following:
Allowing CTI to focus on context, the SOC to focus on security monitoring and vulnerability management to focus on the mechanics of security remediation provides the most value for an organization.
READ: How to Formalize Your Vulnerability Management Program
No matter where CTI functions report, they must keep communication clear, relevant, actionable and timely. Meaningful threat intelligence provides context, so organizations can take informed action based on risk. Consider the following:
The SOC, vulnerability management and CTI functions need to work in harmony to provide the most value to an organization. Each function has a separate responsibility, but when they communicate and work together, they can provide a tremendous amount of
value by helping an organization focus on the most critical and likely-to-be-exploited issues.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.