Threat intelligence is a great tool to use if used correctly. The more I talk to folks around the world, I've realized that part of the problem is that even if they have the threat intelligence capability, the information that they get is really used only for reporting purposes. If there is one thing that isn't helpful it's a report for reporting's sake. If we cannot act on the information that we receive from the tools that we use, it was wasted time and effort to put the report information together in the first place!

My point is that once we start talking about information, we want to analyze it to provide the most actionable items for our teams to take on. But before we start getting to that point, we need to know where we get the information from and how we can tailor it to our needs. For threat intelligence, I've created a two-level capability maturity model to specifically tackle a few things.

Capability Maturity Model—threat intelligence:

• Level 1: Threat intelligence collection capability:
  • At this level, we are going to discuss the phases of maturing the capability to collect the information that we need and make it relevant to our organization
• Level 2: Threat intelligence integration and dissemination:
  • At this level, we are going to take the information that we've gathered and go through the phases of maturing the process in which we can integrate it into the operational team
  • We will also discuss what we can expect as outputs from the operational teams and how we can aggregate information to a threat intel dashboard for use at all levels of decision-making