Originally IP and URL blacklists were seen as the forerunners of ‘Threat Intelligence’, and security products such as next generation firewalls (NGFWs) and event management (SIEM) products were designed to integrate information from these blacklists. However, over time the amount of threat intelligence grew exponentially and it became very difficult to define what was relevant and what was not. Moreover existing security controls were simply not designed to process such a huge number of Indicators of Compromise.
There are many threat feed providers and threat intelligence services processing and providing vast amounts of essentially raw data (indicators without context) marketed as ‘Threat Intelligence’. Feeding your security operations with such ‘intelligence’, will cause too many daily false security alerts overwhelming security teams and creating ‘alert fatigue’. This will, inevitably, have a serious, negative impact on your response capabilities – and the overall security of your company. According to Cisco’s 2018 research, 44% of daily security alerts are never investigated and the data is simply unutilized. Just sorting through a huge amount of data (without context) from available threat intelligence sources was clearly not delivering Threat Intelligence.
This brought about the realisation there is no quick-fix Threat Intelligence solution for protecting an organisation. It is now generally recognized that raw data extracted in huge, unstructured, unprocessed quantities can’t even be called useful information let alone intelligence. And crucially, data, however relevant, is still useless unless it is actionable and contextualised.
The focus now is entirely on the quality of the data sources. Identifying what was a threat yesterday is ‘history’. Data which brings insights but does not provide guidelines for prompting decisions and actions is insufficient. Data that is limited in quality due to lack of sources, for example insufficient visibility into threat coverage such as the Darknet, or lack of global, multilingual reach, cannot be processed into what we now understand to be Threat Intelligence. Critical intelligence must pass the test of being predictive on how to prepare for and how to combat future threats.
But beyond this, a solution needs to adapt to the specific security requirements of each individual organisation. The organisation must be guided to establish data collection points internally around critical assets so that the collected data can be matched with the external threat intelligence to identify potential threats. Threat Intelligence lacking this targeted approach will not succeed in prioritising information necessary to defend key assets. “Threats are only a threat in the context of the risk to the business itself,” says Helen Patton, CISO of The Ohio State University.
Finally, if it’s not ‘actionable’, it’s not useful intelligence. In order to be actionable, multiple threat intelligence sources must be seamlessly integrated into an organisation’s security operations, through a single point of entry. If both machine-readable and human-readable threat intelligence cannot be readily used with an organisation’s systems; if the delivery methods, integration mechanisms and formats do not support smooth integration into existing security operations; then the data provided will not be converted into effective Threat Intelligence.
In summary, if the data cannot be processed, integrated and converted into immediately actionable intelligence to provide unique insights into emerging threats, enabling security teams to prioritise alerts, maximize resources and accelerate decision-making processes – then this accumulation of data does not pass the test of ‘Threat Intelligence’ as defined in 2020.