"After bootstrapping a cyber-threat intelligence program and garnering initial success, where does one go next? For our program, this meant expanding from IP-address-only intelligence to include domain-based intelligence; identifying control points and sources of local domain-based intelligence; and developing metrics on our program to share with the campus and leadership. After a quick review of our core threat-intelligence program tenets, we’ll dive into our tool choices, discuss special considerations when dealing with domain-based intelligence, and share the metrics we’ve chosen to track and share within our community. This is a topic specific/intermediate level session.
Outcomes: Understand the core tenets of a successful threat-intelligence program * Identify options for domain intelligence collection and control enforcement * Evaluate a set of metrics for measuring a threat-intelligence program"
Security Architect & CSIRT Program Manager, Duke University