4 Key Threat Intelligence Capabilities to Look for Before You Buy
By Chris Pace on March 1, 2018
The merits of threat intelligence as a component of a cybersecurity strategy are now being widely understood. While vendors and service providers vary in terms of the types of intelligence they provide, there are some things threat intelligence simply must do. Without them, your threat intelligence initiative will be at best cumbersome, and at worst a distraction from the day-to-day business of securing your organization.
Originate From a Wide Breadth of Sources
To be truly valuable, your threat intelligence program must consider the broadest possible range of sources within the scope of the objectives you set.
Let’s say your program is designed to highlight the most important vulnerabilities for remediation. Clearly, you’ll need to consume a full range of feeds to ensure you’re informed of each newly identified vulnerability immediately.
But it shouldn’t stop there. If you’re only harvesting intelligence from open source threat feeds, you will lack the context necessary to make informed decisions. How could you possibly know which of the thousands of vulnerabilities discovered each year should be patched first? Or whether you should act immediately, rather than wait for the next scheduled maintenance period?
Whatever its objectives, if your threat intelligence program consumes inputs from the broadest possible range of relevant sources, you will stand a much better chance of allocating your limited security resources appropriately.
Deliver Relevant Insights
Clearly, intelligence can only be considered useful if it is relevant to your specific needs. It’s easy to become distracted by the latest alerts, but in many cases they may be more interesting than they are actionable.
If you receive too many irrelevant alerts, your analysts will quickly find themselves bogged down in false positives, and ultimately, less able to perform the function they were hired for.
This doesn’t mean every alert must be directly related to your organization, however. Intelligence relating to your business operations, technology infrastructure, supply chain, partners, and even your competitors, can all be considered “relevant” in the sense that it may alter your decisions.
Integrate With Your Existing Security Infrastructure
There are two keys to avoiding overwhelm from threat intelligence: context and automation. In both of these areas, integration with existing systems and sources of intelligence can play a huge role.
By combining internal and external data points, genuine intelligence can be produced that is both relevant to your organization and placed in the context of the wider threat landscape. This is the primary reason why so many threat intelligence solutions are designed to integrate with SIEMs, and the combination of internal and external sources can help cut through the noise and identify the most urgent issues.
But it doesn’t stop there. When your threat intelligence solution is fully integrated with other internal systems, the opportunity to automate repetitive tasks presents itself.
Due to the massive volume of available data, both internal and external, human security teams are simply unable to keep up with basic tasks such as keeping firewall rules up to date. Machines, on the other hand, can perform this type of task with ease, so long as they have the data necessary to do so, which is why integration between threat intelligence solutions and other security systems works so well.
Enable Customization and Collaboration
We’ve already established that there are a multitude of threat data sources that could hide the breadcrumbs of valuable intelligence. But working with disparate sources of threat data risks stealing valuable time from security teams. Aggregating and correlating these sources in a single view can make a big contribution to increasing efficiency.
As your threat intelligence capability develops and you begin to conduct your own analysis, you’ll also want to be sure that you have a place to share what’s been discovered, including connections to threat, technology, or industry-related entities.
Arm Yourself With the Facts
You may be familiar with the phrase, “Act in haste, repent at leisure.” You should keep it in mind when evaluating threat intelligence solutions. And even if a vendor meets these key criteria, you still want to test that they can meet the demands you’ll make of them now, and as your needs evolve.
We’ve created a cyber threat intelligence buyer’s guide to help you answer 11 key questions before you make a decision on how to invest. It also includes a handy RFP template you can use to be sure you’re asking the right questions. You can download them both here.