A Definition of Threat Intelligence
Threat intelligence provides organized and analyzed information about recent, current, and potential attacks that could be a security threat to an enterprise. Threat intelligence delivers in-depth information such as URLs, domain names, files, and IP addresses that were used to execute attacks. The information helps an organization defend itself from current attacks and respond to security incidents.
Benefits of Threat Intelligence
Cybersecurity threat intelligence provides current information on potential threats or attacks pertinent to enterprises. There are many sources available for obtaining threat intelligence; organizations can glean threat intelligence from monitoring their own systems and obtain threat intelligence from public sources or through paid services. The most powerful and actionable threat intelligence is typically gained through a combination of these internal and external sources. This information helps enterprises defend themselves against known and emerging threats before their systems are compromised.
Managed security services can provide key threat intelligence benefits such as:
- Elimination of the need to manually gather, research, and analyze the volumes of threat data from numerous sources, mostly across the internet.
- Security analysts are on staff and their focus is exclusively on intelligence. In-depth analysis is performed on vulnerabilities and any emerging threats.
- An enterprise is given access to expertise and resources that make an ongoing threat intelligence program a known and budgeted operating expense.
- Some services will provide guidance to assist specific kinds of enterprises reduce their risks. The threat intelligence service may also provide remediation and mitigation services if there is a compromise made to a client organization.
Challenges of Threat Intelligence
Although enterprises are beginning to recognize the value of threat intelligence as a way to improve defenses and expedite response times for incidents, there remain obstacles stunting the desired result of enterprise threat intelligence programs. For one, the amount of threat information available – internally and externally – that needs to be analyzed and correlated can add complexity to threat intelligence programs. When analyzing your company’s own network activity or reviewing public sources of threat intelligence the sheer volume of activity and information can be overwhelming. As a result it is important to augment your own threat intelligence efforts with reliable, external sources of threat intelligence.
In some cases, challenges can arise when the insights gained from the threat intelligence program don’t map to the enterprise’s threat model. Enterprises should pick threat intelligence services based on the pertinence to their business. Rick Holland of Forrester offers, “When it comes to actionable intelligence, relevancy matters.”
Best Practices for Threat Intelligence
It is essential that the threat intelligence is comprehensive, timely, and accurate to pinpoint attacks and formulate responses to the attacks. When searching for a provider to protect your company, be sure to find out:
- What methods are used to create the threat intelligence? A merging of methods give a more comprehensive idea of threats. It is unrealistic to expect full coverage, but by using a major vendor, it is fair to expect that most of the internet is monitored through a global distribution of sensors and integration of public sources.
- What metadata comes with the intelligence? Metadata can be crucial for receiving more value from threat intelligence services.
- How regularly is the threat intelligence updated, how do customers receive these updates from the vendors, and what is the lag time from detection to the dissemination of threat intelligence? The answer to all three should be no more than a few minutes.
Of course, some of the best threat intelligence lies in your own environment. For a guide on how to get started with your internal threat intelligence program, check out our article, Know Your Network First: DNS and the Power of Feature Classification. If subscribing to a threat intelligence provider, remember that you may not be able to choose an irrelevant feed from a relevant feed. Holland suggests, “Nothing will be as relevant to you as intelligence gathered from your own environment, your own intrusions. Before you invest six figures or more in third party threat intelligence, make sure you are investing in your internal capabilities.”