Threat intelligence is one of the hottest trends in the information security industry right now.
But, like with any trend, no matter how valuable, things can get out of control – and arguably, they have for threat intelligence. It has become a buzzword with no industry standard or definition attached to it. Plenty of information security companies have tacked on threat intelligence to their service offerings, but how much data do you actually need and how do you know what data is worth your time?
Threat intelligence: The wrong way
Threat intelligence’s major pitfall is too much data. It is a classic case of quantity versus quality. Too many companies give you an international or national report. That is a lot of data, especially if it is not a vetted list of threats.
Depending on your source, threat intelligence reports are up for you to decipher. It is up to you to weed through the false positives, poorly sourced threats and all-around poor quality “threats” for the ones that are legitimate and relevant to you.
Threat intelligence: The right way
According to a SANS survey, 75% of respondents considered threat intelligence important to security, but as you can see from above, and possibly from your own experience, getting value from threat intelligence requires investigation into the potential threats. Unfortunately, that can take a lot of time.
Here are 4 ways to save time when assessing the credibility of threats:
- Share information: For a long time our industry has been saying we need to share data if we want to have a chance against the hackers, and threat intelligence is a great way for us to start doing this. Many threat intelligence providers have a community you can use to crowdsource validation; if yours does not, find a group of trusted partners and pool resources.
- Ignore it: A majority of the threats that come across your feed have no relevance to you. They may be big news or may be being talked about a lot on the community boards, but if they have nothing to do with you, it’s OK not to pay as much attention to them.
- Check for multiple sources: If a threat is big news or being talked about a lot on the community boards AND is relevant to you, pay attention. Although just because something is being talked about does not indicate it is a legitimate threat, it is usually a good idea to prioritize looking into those threats.
- Know your sources: Just like with anything online, you need to know your sources. Some submitters will be known for higher quality threat submissions than others; look into their threats first.
You may be wondering why the threat intelligence companies don’t offer better threat leads? Well, we get lousy threat intelligence for the same reason we get lousy news – we crave minute-by-minute updates, so publishers rush to be the first to publish. And rushing leads to bad reports.
We are the problem, but with threat intelligence, we need minute-by-minute updates if we want to stay ahead of criminals; it only takes a few hours for a hacker to get into some networks and steal valuable data.
So, what do we do? Slow down the threat intelligence so companies can vet the leads or take on the responsibility for vetting the leads relevant to us? Let us know what you think in the comments or on Facebook. Seriously, drop us a comment. We want to know what you think or what your company does.