In Episode 86 of TheCyber5, we are joined by Senior Manager of Threat Management for Nvidia Chris Cottrell.

Here are six topics we discuss in this episode:

• What is a threat management department within enterprise security?

Threat management departments are usually formed when security teams become mature and have table stakes functions within threat intelligence, red team, penetration testing, and threat hunting. These functions are usually formed after compliance, risk, governance, vulnerability management, and security operations center (SOC) are operational. Unfortunately, threat management is not a well defined lexicon in enterprise. For example, “threat hunting” in one organization could mean a SOC escalating alerts in another company.

• Incident Response’s Role in Threat Management

Incident response is usually a separate capability from threat management (red team, threat hunting, threat intelligence) and the governance, risk, and compliance (GRC) roles. Incident response is a reactive capability and has the ability to find an actor inside the environment, whereas SOC is the first reactive capability to stop the attacker at the perimeter. Threat management is still considered a proactive capability to keep attackers out at the perimeter.

• Defining the Roles within Threat Management

Threat Hunt: Expert level investigators that know how to review network telemetry with a variety of tools and alerts and find an anomaly to investigate if an adversary is inside the environment. They usually take their clues from incident response, red team, or threat intelligence.

Threat Intelligence: Expert level analysts and engineers reviewing the types of threats that could attack an organization and develop alerts and playbooks for threat hunters. They also have many other roles depending on the business.

Red Team: Penetration testers that emulate or simulate adversaries within the environment to determine what alerts should be created and prioritized.

• Threat Intelligence Must Start with Business Requirements

Threat intelligence is meaningless and not contextualized until analysts understand how the business makes money and the corresponding risks that could disrupt the business. Building a threat intelligence program from scratch can take up to a year, and the first six months will be building relationships with the business before any feeds can start to be incorporated.

• Stories are the Best Metrics for Threat Intelligence Programs

Mean time to respond and mean time to alert are table stakes metrics for SOC, but are out of the control of the threat management team (red team, threat intel, etc). However, the better metrics for threat intelligence teams are success stories when information was actioned by a business unit and risk was averted.

• Reactive Capabilities When An Incident Occurs

The threat management department becomes critical during a security incident. Red teamers have the mindset to look for a mistake in a vulnerability or network defense. Threat hunters have mindsets to look for mistakes in adversaries. The same mindsets are critical to investigating security events and incidents with the incident response team. Threat intelligence can conduct external threat hunting outside the firewalls when an incident occurs.