Weighing Your Threat Intelligence Options

Posted: 8th March 2018
Weighing Your Threat Intelligence Options

Threat intelligence products and services come in all shapes and sizes. Some provide very specific kinds of intelligence, some consolidate and aggregate threat data, and some give you access to expert analysis.

If your organization is looking to make an investment in threat intelligence, you’ll need to evaluate what different vendors deliver, how they align with your objectives, and the advantage they’ll bring to your security strategy.

Below we weigh different considerations to help you make a more informed decision.

Data vs. Insights

There’s no doubt that the breadth of available sources that threat data originates from will be an important factor in the success of your threat intelligence program.

But at the same time, one of the most common issues with threat intelligence is an imbalance between data and insights. Put another way, security teams spend far too long processing alerts that simply aren’t relevant to their organization, network infrastructure, or industry.

When considering which solution will best aid you to reach your objectives, it’s vital to consider the balance of data sources versus insights that each solution will deliver. You need a solution which consumes data from a wide range of sources, but you also need one that can contextualize and prioritize relevant alerts, while simultaneously cutting out the noise.

Speed vs. Context

Balancing speed and context is perhaps the most important factor in the production of actionable threat intelligence.

Without context, determining a suitable response to alerts is very difficult. However, context can’t always be found instantaneously, and many security events are time sensitive. Taken to extremes, this can result in making the right decision very slowly, or the wrong decision very quickly.

This is why striking a balance is so important. To provide maximum benefit, you need a solution which can balance the speed of new data with the context you’ll need to make a quick decision based on actual risk.

Human vs. Machine

For decades now, machines have been “on the verge of replacing humans” in many areas of activity.

For the most part this simply hasn’t happened. Machines have become an invaluable asset in almost every endeavour, but outside of menial tasks, there are very few cases where machines have completely removed the need for human involvement.

There is one simple reason for this: Machines are outstandingly good at some tasks (e.g., completing a huge number of calculations very quickly or labelling inputs based on pre-programmed conditions), and extremely bad at others. In particular, machines are totally incapable of critical decision making.

This is why it’s so important to identify a solution which strikes the right balance between human and machine involvement.

The sheer volume of available data makes collection and processing functionally impossible for humans to perform alone. Even with alerts aggregated and normalized into one location, as they are by simple threat intelligence platforms, security teams are quickly overwhelmed.

An effective solution is one in which the simple tasks — data aggregation, comparison, labeling, and contextualization — are completed by machines, leaving humans to do what only they can: make effective, informed decisions.

Reports vs. Integration

Excluding the automation of simple and repetitive tasks, the primary benefit offered by threat intelligence is to inform human decision making. This can happen in one of two ways:

  1. Reports are produced and used to inform high-level strategic decisions.
  2. Individual, contextualized alerts are used to inform operational decisions.

Striking a balance between these two approaches will depend heavily on your specific objectives.

Threat reports, whether produced internally or by a security vendor, can provide strong insight into broad industry trends, commonly used threat vectors, and emerging TTPs. This type of intelligence is highly valuable when making investment decisions or hammering out policy documents.

On the other hand, more operational objectives such as empowering vulnerability management or incident response benefit far more from having specific and relevant contextualized intelligence in the right place, at the right time. This is where integration comes in.

Many threat intelligence solutions are intended for integration with a variety of security technologies such as vulnerability scanners and SIEMs, either in the form of turnkey integration with established partners or APIs. Depending on your specific needs, you will want to ensure a chosen threat intelligence solution is capable of integrating with your existing systems via one of these approaches.

Striking a Balance

It’s important to understand that none of the considerations outlined above are “either-or” situations. Identifying the best solution for your specific needs is a case of determining the outputs you’ll need to inform better decision making.

In reality, none of these variables is inherently “better” than any of the others. Without machines to aggregate and contextualize data, there is very little security teams can do to produce intelligence. And without a reasonable turnaround time, all the context in the world is useless — late decisions are often no better than wrong decisions.

Always keep your use cases front of mind and follow this mantra as you look to identify the right solution for threat intelligence:

Decide what you need threat intelligence for and choose the solution that not only best provides what you need to achieve it today, but also adds the potential to become a partner that both equips and enables your security teams as you move forward.

You can find much more information and guidance on choosing a solution by downloading our “Buyer’s Guide to Cyber Threat Intelligence.” It also comes with an RFP template you can use to be sure you’re asking vendors all the right questions.