Creating an Intelligence-Led Security Organization
I recently had the opportunity to sit down with Roland Cloutier, Global Chief Security Officer at ADP and former CISO at EMC, to discuss how they integrate and leverage threat intelligence into their security operations centers as well as their greater security technology infrastructure. It’s pretty rare for the CISO of a F500 company to discuss what technologies they use in such an open way, but it was really a testament to the trust they have for the solutions they have chosen. To hear Roland discuss it himself, watch the video at the end of this post or read the case study.
ADP had created a much more proactive, and dare I say “predictive” security program than most. They are consuming threat intelligence from numerous sources including AMP Threat Grid to create what Roland dubbed ‘intelligence-led decision making.’ How is this different from today? Most security organizations, whether it’s analysts in the Security Operations Center (SOC) or the <<other group>> tend to be in a very reactive mode. They see an alert pop up on screen and start to scramble. It’s tough to get ahead of the game when the technology you’ve invested in is merely a reactive one. Roland and his team have spent the time to develop and execute on a strategy that has flipped this model and puts them in a very proactive situation. So how have they done this? A few key elements:
Threat intelligence can be nebulous and unwieldly. I wrote another blog that identifies three key capabilities to consider when evaluating threat intelligence solutions. Often time the data comes in various formats and can be difficult to consume. Worse yet, it contains nothing more than a list of known bad IP’s or repackaged open source threat intelligence that lacks contextual data needed to make decisions. The team at ADP has carefully evaluated and chosen the threat intelligence solutions that don’t have these limitations and implemented them.
- High Fidelity Data
Integrating threat intelligence is great, but can often be very noisy, or create excessive redundancy both of which lead to inefficiency. ADP has carefully integrated high fidelity data sources into their environment to provide maximum value.
The key to the success of their implementation lies in how they consume the threat intelligence. To create an intelligence-led security program, the team has automated the consumption across their infrastructure, from the edge to the endpoint, using APIs and other simple integration techniques. Whether it’s their network monitoring tools or security analytics technology, using an API to ingest threat intelligence allows them to dictate when and how this data will be consumed. Automating the consumption and dissemination of this data across their environment ensures security technologies stay abreast of current threats.
Securing operations at ADP is an essential part of their business. They can’t risk having systems or data compromised in their line of work. As you’ll hear Roland explain in the video, “Security, risk and privacy are synonymous with business operations protection. It is simply how we design our business.” That’s what having an intelligence-led security organization is all about.