5 Myths about Threat Intelligence

In the spirit of The Washington Post’s regular column, “5 Myths,” here is “a challenge to everything you think you know” about Threat Intelligence.

You may already know that cyber threat intelligence from both internal and external sources can provide value when it is researched, analyzed and disseminated correctly. The benefits include:

• Changing an organization’s security model from reactive to proactive
• Shrinking the security alert problem that is overwhelming most security teams
• Driving better, more informed responses to security incidents
• Extending the life of aging security technologies and turbo charging new defenses by feeding them real-time intelligence updates to enable blocking of rapidly emerging threats
• Enhancing communications between the security team, management and board members
• Driving better investment strategies and more directly connecting security priorities with business risk management priorities

Marketing departments would have you believe, it’s easy.  Just sign this Purchase Order and the magic happens. Here are 5 myths about Threat Intelligence.

1. You can buy it

Actually you can only buy threat data feeds. Converting this “data” to intelligence requires many steps. You have to collect data from your network, match against the threat data feed, examine matches for validity, weed out false positives, investigate the remainder and apply remediation.

2. More expensive is better

This one is obvious – only if it is relevant to your needs. For example, a high quality feed about threats that your organization does not face is not very useful. For example, is it meaningful to you to get great intel on the threat landscape local to Uzbekistan? Not unless you have network assets there. Most feeds cover specific activities, technologies, and industries. Just because they are high quality, it doesn’t follow they are useful to your organization.

Also ask the question if you can actually use what information is provided. For example, a feed that updates by the minute requires that you be able to act immediately on notification. However, if you can only act the following business day (lack of dedicated staff?), then why pay for the real time update?

You may have heard “the best things in life are free.” It can be true in the case of Threat Intel feeds.

3. It’s a one-time cost

See the answer to #1 above. Feed data updates regularly. Applying it to your local environment is also a continuous process. The one-time cost is to buy a subscription to a data feed. Security, you may have heard, is a process, not a project.

An easy comparison is to vulnerability scan results. Users of such products will quickly recognize that one must carefully tune the tests that the scanner runs to avoid disrupting or crashing some products (one just can’t enable a test against all endpoints). Further, many results must be masked because they cannot be remediated for good reasons and a compensating control may have been applied. These are all ongoing costs.

4. The benefits are automatic 


Actually no. In order to get benefits from threat intelligence feeds, a series of steps must be completed as outlined above, mostly in the area of tuning the feeds to eliminate false positives. Most Intrusion Detection System (IDS) users will recognize this problem easily. Enable an IDS with all available data feeds and you will get bombarded with false positives, and likely get depressed that the process is not “automatic.” Obtaining value from such feeds requires attention and tuning.

5. It’s easy to use

While threat intelligence may be easy to incorporate into any product, by itself it’s not inherently “easy to use.” That depends on the device that is using threat intelligence. For example, many Next Generation Firewalls (NGFW) offer subscriptions to threat intelligence.  They update themselves and take the configured action (report or block undesirable traffic). However, it is still up to the administrator to review these alerts for correct behavior. Administrators of anti-spam devices or proxy servers will quickly recognize this. Those devices also incorporate threat intelligence but require review for proper functioning.

Threat intelligence is a crucial need for any organization, but it isn’t a one-size-fits-all proposition, nor is it a plug and play way to secure data.  Businesses and their IT teams must understand that security is a process, one that is grown out of attention to need and should come complete with an administrator to oversee  anomalies.  Once organizations better understand this fact, we’ll be well on our way to data security.[su_box title=”About A.N. Ananth” style=”noise” box_color=”#336588″]As the co-founder and CEO of EventTracker, A.N. Ananth was one of the original architects of the EventTracker product, an enterprise log management solution. With an extensive background in product development and operations for telecom network management, he has consulted for many companies on their compliance strategies, audit policies, and automated reporting processes. He is a leading expert in IT compliance, with more than 20 years’ experience in IT-control and operations, and he speaks frequently on these topics. Ananth was involved in product development for various companies including Ciena, Westinghouse Wireless, and Equatorial Communications. He holds an MSEE from the University of Texas and remains active in strategic product direction at EventTracker.[/su_box]