Gartner Blog Network

How a Lower Maturity Security Organization Can Use Threat Intel?

by Anton Chuvakin  |  May 16, 2016  |  7 Comments

As we mentioned, we are starting a refresh effort for our threat intelligence paper [Gartner GTP access required]. One thing we may add is more detailed guidance on the usage of threat intel for lower-maturity security organizations. You know, those that just learned to spell “S-I-E-M” and that are constantly pushed to do “more with less…and less…and less…and less.” Those that just hired their first full-time security “expert.” Those NOT at the tip of the maturity pyramid.

So, this post is just me thinking aloud of things like …

How can those organizations beneftit from a threat intel subscription or a feed?

…. or, in fact…

Can those organizations beneftit from a threat intel subscription or a feed?

… and also…

Give a choice between spending $x0,000 (a sizable, but not an outrageous sum for an annual threat intel subscription) and some other security budget item (tools or people), should they spend it on TI?

… and maybe even….

Can free community and security vendor-included TI be enough for some?

Let’s briefly ponder these questions. Here are some ideas …. with come counter-arguments:

  • A TI feed (as we clarify here) can be directed into a SIEM to improve threat detection (specifically, to catch some threats based on TI vendor knowledge of malicious infrastructure and without writing custom correlation rules) … but improved detection will necessitate response i.e. additional work and thus likely additional people.
  • A TI feed can make your alert triage work better/faster (specifically, TI can boost the importance of some alerts by relating them to malicious infrastructure of a known threat group) … but this implies that an alert triage process in in place and is not outsourced to, say, an MSSP.
  • Naturally, security incident response process can be intel-enabled and hence be improved …. but it implies a degree of security IR maturity and not just a “reimage and forget” process in place.
  • FInally, a well-cleaned TI feed can be directly dropped into preventative controls (firewalls, SWG/proxies, etc) … but – frankly – it won’t be INTELLIGENCE anymore, it would be a shared IP/DNS blocklist.

So, you need to make up your own mind, but it is entirely possible that many lower-maturity security organization CANNOT benefit from TI. As they said in the movie, “he is just not that into you” which here becomes “TI just isn’t for you.”

Given that in my work I encounter clients of very different levels of security operations maturity, maybe I should tag my blog posts with something like this:

sec ops maturity-marker

Otherwise, I get comments like “hire a team of 50 and this is easily solved” or “no real organization can ever do that”…

Blog posts related to threat intelligence:

Category: security  threat-intelligence  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on How a Lower Maturity Security Organization Can Use Threat Intel?

  1. Daya Puls says:

    My simple-minded understanding is that TI is not useful to an organization that does not understand their risks or does not monitor their corporate assets (i.e. they only monitor the firewalls on the DMZ). You know, getting climate reports for coastal flooding when my company in based in Colorado, USA. Sigh…

  2. Darin Dutcher says:

    Careful, a feed does not equal intelligence…

    • Agreed, but we consider threat / indicator feeds to be A TYPE OF threat intel. So, feed != TI, but feed is a type of TI (we sometimes call it MRTI or tactical TI)

  3. […] Anton Chuvakin As we mentioned, we are starting a refresh effort for our threat intelligence paper [Gartner GTP […]

  4. Jason Pender says:

    Great questions. I believe these organizations would be best leveraging TI services from regional MSSPs. At Jigsaw we are working with a number of these to build threat streaming and security analytics services for the mid market on our MISP based Elastic platform.

    • Thanks for the comment. Indeed, it may work if they get a TI feed or other subscription “for free” [or: included with] their MSSP subscription.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.