What to Look For in a Threat Intelligence Solution

Threat intelligence or cyber threat intelligence is the result of gathering, processing and analyzing data on threats and threat actors. This intelligence can be used to identify and investigate threats to your organization with the aim toward a more resilient organization.

The field of threat intelligence (TI) providers and solutions is large and diverse with new vendors appearing regularly. Offerings include threat intelligence feeds, threat intelligence services and threat intelligence platforms. Add in open-source (OSINT) vs. paid solutions, industry-focused solutions vs. broad solutions, and tactical vs. strategic content and it can quickly get overwhelming when trying to choose what will work best for your organization.

With a surplus of cybersecurity technologies and solutions, it can be daunting to find one that addresses all of your problems. Once you’ve decided you’d like to consider adding some threat intelligence, what are best practices for evaluating and choosing vendors and solutions?

The best place to start is by considering your use cases. Solutions should fit your use cases versus the other way around. Some of the most popular use cases include:

• Phishing Detection: Phishing is ubiquitous, annoying and potentially highly damaging. TI is critical for identifying malicious IPs and other elements of phishing attacks to speed up your detection and response.
• Threat Hunting: By the time an active threat is detected, quarantined and remediated, it’s often too late. Security teams must be proactive in identifying and hunting for new risks. Regularly updated TI can be applied to your threat detection systems to secure your environment. You can also use your TI solution to look for new tactics and trends.
• Vulnerability Prioritization: TI integrations help organizations understand which vulnerabilities are being exploited by threat actors, making it one of the most valuable use cases for threat intelligence in modern enterprises. This actionable knowledge offers critical insights into an organization’s threat landscape.

Once you define your use cases, look for TI solutions that can address those areas. Be sure to consider that some of your existing security technologies, such as SIEM, firewalls and endpoint detection and response (EDR) may offer add-on subscriptions for TI content. Be aware that there may be some overlap in intelligence between vendors, as some vendors OEM their intelligence while others share content. This is normal and expected, but you will want to make sure your TI solutions are diversified, not redundant.

As with any new tool, make sure you have the resources to manage it. Getting value from these solutions is dependent on your team’s ability and capacity to act upon the intelligence you receive from your providers. It’s necessary to do some planning on who and what tools or processes in your organization will consume the intelligence and know how they will use it.

Speaking of budget, pricing of TI is typically geared more inline with large enterprise, although mid-market is growing as TI consumers. Pricing is in the lower tens of thousands of dollars for a basic service while more advanced, strategic, or bespoke content can run several hundred of thousands of dollars or more.

End users must do several things concurrently to benefit from TI. These can be grouped as:

• Acquire. There are many vendors in the market, but they usually specialize in certain areas such as malware IOCs, internet domain information or dark web monitoring. It is rare to find one that excels across all domains. Thus the key is to get the right blend of TI for your organization. Depending on your use cases and budget, you may find that publicly available sources of threat information, like open-source intelligence (OSINT) will adequately serve your needs. Be sure when acquiring TI solutions you also consider their breadth of coverage, the depth and accuracy of the information and the extensibility, if you intend to use it in multiple tools and processes.
• Aggregate. Once you have your TI in its multiple formats and types, aggregation is the next step. This is where solutions like security orchestration, automation and response (SOAR) come in. SOAR will gather large volumes of TI then deduplicate it, enrich it with other data, make it searchable and use it in downstream automation use cases. SOAR can also be used to compare your TI sources – surfacing where you have overlap and potential redundancy of threat content.
• Action. Having intelligence does nothing for you if you don’t use it. You also need to make it actionable: have a process for what decisions you expect to make on the basis of the content provided, as well as knowing who and how those decisions will be made.

Choosing threat intelligence solutions and getting value from them is complex. Request a demo today to learn more about how to choose the right solution and not settle for “good enough” security automation.