As we mentioned, we are starting a refresh effort for our threat intelligence paper [Gartner GTP access required]. One thing we may add is more detailed guidance on the usage of threat intel for lower-maturity security organizations. You know, those that just learned to spell “S-I-E-M” and that are constantly pushed to do “more with less…and less…and less…and less.” Those that just hired their first full-time security “expert.” Those NOT at the tip of the maturity pyramid.
So, this post is just me thinking aloud of things like …
How can those organizations beneftit from a threat intel subscription or a feed?
…. or, in fact…
Can those organizations beneftit from a threat intel subscription or a feed?
… and also…
Give a choice between spending $x0,000 (a sizable, but not an outrageous sum for an annual threat intel subscription) and some other security budget item (tools or people), should they spend it on TI?
… and maybe even….
Can free community and security vendor-included TI be enough for some?
Let’s briefly ponder these questions. Here are some ideas …. with come counter-arguments:
- A TI feed (as we clarify here) can be directed into a SIEM to improve threat detection (specifically, to catch some threats based on TI vendor knowledge of malicious infrastructure and without writing custom correlation rules) … but improved detection will necessitate response i.e. additional work and thus likely additional people.
- A TI feed can make your alert triage work better/faster (specifically, TI can boost the importance of some alerts by relating them to malicious infrastructure of a known threat group) … but this implies that an alert triage process in in place and is not outsourced to, say, an MSSP.
- Naturally, security incident response process can be intel-enabled and hence be improved …. but it implies a degree of security IR maturity and not just a “reimage and forget” process in place.
- FInally, a well-cleaned TI feed can be directly dropped into preventative controls (firewalls, SWG/proxies, etc) … but – frankly – it won’t be INTELLIGENCE anymore, it would be a shared IP/DNS blocklist.
So, you need to make up your own mind, but it is entirely possible that many lower-maturity security organization CANNOT benefit from TI. As they said in the movie, “he is just not that into you” which here becomes “TI just isn’t for you.”
Given that in my work I encounter clients of very different levels of security operations maturity, maybe I should tag my blog posts with something like this:
Otherwise, I get comments like “hire a team of 50 and this is easily solved” or “no real organization can ever do that”…
Blog posts related to threat intelligence:
- Threat Intelligence and Operational Agility
- My Threat Intelligence and Threat Assessment Research Papers Publish
- Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)
- On Threat Intelligence Management Platforms
- How to Use Threat Intelligence with Your SIEM?
- On Internally-sourced Threat Intelligence
- Delving into Threat Actor Profiles
- On Threat Intelligence Sources
- How to Make Better Threat Intelligence Out of Threat Intelligence Data?
- On Threat Intelligence Use Cases
- On Broad Types of Threat Intelligence
- Threat Intelligence is NOT Signatures!
- The Conundrum of Two Intelligences!
- On Comparing Threat Intelligence Feeds
- Consumption of Shared Security Data
- From IPs to TTPs