Corporate Information Security

Threat Intelligence and Security Operations

15 November 2019

Geneve, Switzerland - Hosted by Richemont


Most facets of information security have changed dramatically in the last 5-10 years, but probably none more so than the need for ongoing security operations and threat intelligence to support both it and other aspects of security. Indeed much of the embracing of “identify, protect, detect, respond, recover” falls on security operations. In this roundtable we will compare notes on the topics of the current threat landscape, thanks to four sessions and questions to consider for each of them.

In the first, we will compare how we each see the threat landscape today, how threats are combining with our vulnerabilities, emerging threats to pose problems. We will take both a current state and emerging (trending) approach to this topic. In the second session, we will focus on how and where each of us is getting threat intelligence, for what purpose, how we are using it, and what’s working and what not. In the third one, we will approach the theme of running or using of a Security Operations Center, and finally in the fourth we will try to get things wrapped up. Some of the questions we will address during the sessions are:

  • What does the cyber threat landscape look like today? How different is it than 12-18 months ago?

  • What are the trends you see in types of threats, actors and goals? How/do they fit together?

  • What does the cyber threat landscape look like specifically for your corporation?

  • What threats are you most concerned about for your corporation and what form do they take? Malware? Sophisticated phishing? Denial of service? Advanced persistent threats? Industrial espionage? Security of industrial control systems? Compromise of financial or payment systems?

  • How are you tracking the threat picture and potential threats? What are today’s effective “intelligence” methods?
  • Do you have a corporate information security intelligence function or do you just buy various feeds? If so, what is its charter? If not, who looks at the feeds?

  • Regardless of how you are setup, do you get various levels of intelligence feed/services? For instance strategic, operational and tactical? Do you proactively create your own?

  • Do you have a Security Operations Center? What does it look like? Is it outsourced, done internally, a blend?

  • What is the function of your SOC? Is it “just” handling alerts, intrusion detection and the first level of response? Something else too?

  • How do you do the vital work of detection and incident response?

  • Sophisticated threat actors often penetrate networks without firing any alarm — do you do any pro-active hunting to ensure nothing suspicious/malicious is lurking around?

  • How does threat intelligence feed into your SOC? Does the intelligence function sit with your SOC?