The Great Threat Intelligence Debate

The main goal for threat intelligence and threat sharing is to get at that much-needed greater context into the events happening on your network or your ‘piece’ of the Internet and how it interacts with the rest of the Internet. It can also make up for the lack of greater context into simple events logged in legacy technologies (firewalls, IDS, anti-virus.) Getting at the why, where, and how of a security event versus just knowing that the event or the indicator of compromise exists.

The problem with threat intelligence is that it’s become a bit of a big data headache. For effective threat intelligence, you need a giant store of the known ‘bad’— something that changes a million times a day—and the majority of the known bad, you might never interact with at all. It may never apply to your particular slice of the Internet. The efficiencies and costs associated with storing that amount of data isn’t very appealing to most, despite the upside to having your hands on what could be some really great insight into the threats your network is or could be exposed to. This is why many vendors are partnering up to create these shared threat intelligence groups—taking the big data burden off of one and spreading it among many, but in a trusted, smaller-scale, but still effective, environment.

Given the influx of threats coming at you from every possible angle, entry-point and vector, what is really needed to stay ahead of attackers? Context. That context can help you gauge risk, prioritize your security responder’s time, and move on to the next threat (among many) at hand. In other words, don’t focus on threat intelligence merely for its sake—or because it's the latest hot buzzword in the industry. Threat intelligence data not only needs to be actionable and proven, it also needs to be easily accessible for incident responders to be efficient and effective.

The goal of threat intelligence shouldn’t be corroborating bad data with more questionable data (because threat intelligence isn’t always proven), but it should be about searching out the best data that fits the risk profile of your particular organization, industry, and risk. At the end of the day, threat intelligence is about tracking the threat actors; naturally everyone will have a different slant or specialty on this. Ultimately, threat intelligence should make a marked improvement over existing staff and processes. If you have a giant library and no time to read anything in that library, then all you have is a bunch of books. No action, no intelligence.