Saw this post today over on CSO Online very accurately describing what is going on in today’s world of threat intelligence. Put bluntly … most vendors are not selling threat intelligence. Instead I would call it threat data, which lacks the context needed to be considered intelligence. Without context its difficult for an organization to use any of this data effectively. And in some cases shifting resources away from more relevant activities to dealing with the slew of FPs that arise from irrelevant threat indicators can make things worse. If you are going to invest in threat intel, the best bang for the buck would be hiring smart people to create it yourself with data from your own network. And even then it takes a lot of hard work and analysis.
Look for more on this topic in my talk this weekend at CarolinaCon on setting up a basic threat intel capability. In the meantime here are some key quotes from the CSO Online article.
“Unfortunately, most of what’s being sold as threat intelligence isn’t very smart, and organizations are paying hand over fist for data they can find in their own logs.”
“… most vendors aren’t selling actionable intelligence, they’re selling raw data or data feeds without context. Worse, they take a one-size-fits-all approach to their intelligence offerings.”
“The problem is – data that hasn’t been evaluated isn’t intelligence; it’s only intelligence after it’s been analyzed and tailored towards the organization’s threat model.”
“Threat intelligence is something you do, not something you own. It isn’t a product.”
“A good threat intelligence program can take months, maybe years to implement, because it has to align with the individual business and its risk model, which changes constantly as the business grows or shrinks.”
“Despite such claims, threat intelligence isn’t a replacement for solid security basics.”