Threat intelligence, we keep hearing about it from security vendors, but what is it really? Is it hype or marketing speak that will be promoted by those without a real grasp of what it means, or is it the real deal?
One problem in defining threat intelligence is that one person’s threat intelligence is not like the others. There’s not really a requirement for any offering to exist for something to be considered threat intelligence. This leads to an interesting situation where multiple companies are saying the same thing, but they aren’t doing the same things.
There are various types of Threat Intelligence:
Threat Intelligence provided as a value proposition included in services. This type of value proposition leverages intelligence to provide a set of indicators customers were most likely to encounter. In practice, we are now seeing this type of threat intelligence being implemented as sharing networks for technologies such as Palo Alto Networks’ WildFire, (and many others) which automatically manages and disseminates threat data on unknown and previously unanalyzed threats in real-time to other customers.
Internal intelligence generated from within your organization. Products and services that provide insight into your networks serve as a critical source of intelligence. Such as endpoint detection and response technologies such as Carbon Black or Trend Micro.
Subscriptions to externally sourced information that may be intelligence. External threat intelligence is data collected outside organizations. These subscriptions can be valuable but since many of the vendors of such provide this for multiple types of businesses and it’s still up to the organization to determine what applies to their business. For example, a retail outlet may be subject to different threats than healthcare or financials.
Threat information exchanges are focused on information sharing. While closely related to the above types of threat intelligence, information exchanges are differentiated in that they don’t generate the intelligence they are distributing. This offering is instead providing a framework or consortium for members to share threat intelligence. This can also include open source and governmental feeds. Sometimes these types of threat intelligence may be incorporated into a SIEM or MSSP and tuned specifically for your business.
So what type of threat intelligence should your business be utilizing? The best approach is to have a threat intelligence program that may incorporate any and all of these, instead of selecting just one or the other. It’s best to approach threat intelligence with an overall strategic plan instead of responding to the latest marketing from manufacturers.