Gartner Blog Network


Baby’s First Threat Intel Usage Questions

by Anton Chuvakin  |  June 28, 2016  |  2 Comments

Every time I think I already wrote the most basic blog post on threat intelligence usage, somebody comes and asks for an even more basic one…

Now, many of you have retweeted this tweet:

Let’s explore this a bit – what questions do you need to answer before you get your first threat intel data source(s)? These ones, IMHO [feel free to add yours in comments, BTW!]:

  1. What is the my primary motivation for getting TI, such as better threat detection, improved alert triage or IR support?
  2. Where do I get my first threat intel source [likely, a network indicator feed, IP/DNS/URL]?
  3. How do I pick the best one(s) for me?
  4. Where do I put it, into what tool?
  5. How do I actually make sure it will be useful in that tool?
  6. What has to happen with the intelligence data in that tool, what correlation and analysis?
  7. What specifically do I match TI against, which logs, traffic, alerts?
  8. What you have to do with the results of such matching? Who will see them? How fast?
  9. How to I assure that the results of matching are legitimate and useful?
  10. What do I do with false or non-actionable matches?
  11. How do I use intel to validate alerts producted by other tools?
  12. Do I match TI to only current data or also to past log/traffic data? How far in the past do I go?

Got any more?

P.S. This post is for this security ops maturity level:

sec ops maturity-marker

P.P.S. I wish more TI vendors would help clients use their intel “products.”

Blog posts related to threat intelligence:

Category: security  threat-intelligence  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Baby’s First Threat Intel Usage Questions


  1. Rick Holland says:

    For motivations, I suggest including something along the lines of what business risk I am hoping threat intelligence will address? This will be very important when it comes to gaining and retaining budget. How can you then map from those business risks down the stack to operational needs? For the what is my 1st source, I suggest that one of the first, if not the first threat intel source should be your own environment. It is tough to get more relevant than the actual intrusions occurring within your enterprise. Don’t neglect internal sources by just focusing on external OSINT and commercial sources.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.