Blog post

How a Lower Maturity Security Organization Can Use Threat Intel?

By Anton Chuvakin | May 16, 2016 | 6 Comments

threat intelligencesecurity

As we mentioned, we are starting a refresh effort for our threat intelligence paper [Gartner GTP access required]. One thing we may add is more detailed guidance on the usage of threat intel for lower-maturity security organizations. You know, those that just learned to spell “S-I-E-M” and that are constantly pushed to do “more with less…and less…and less…and less.” Those that just hired their first full-time security “expert.” Those NOT at the tip of the maturity pyramid.

So, this post is just me thinking aloud of things like …

How can those organizations beneftit from a threat intel subscription or a feed?

…. or, in fact…

Can those organizations beneftit from a threat intel subscription or a feed?

… and also…

Give a choice between spending $x0,000 (a sizable, but not an outrageous sum for an annual threat intel subscription) and some other security budget item (tools or people), should they spend it on TI?

… and maybe even….

Can free community and security vendor-included TI be enough for some?

Let’s briefly ponder these questions. Here are some ideas …. with come counter-arguments:

  • A TI feed (as we clarify here) can be directed into a SIEM to improve threat detection (specifically, to catch some threats based on TI vendor knowledge of malicious infrastructure and without writing custom correlation rules) … but improved detection will necessitate response i.e. additional work and thus likely additional people.
  • A TI feed can make your alert triage work better/faster (specifically, TI can boost the importance of some alerts by relating them to malicious infrastructure of a known threat group) … but this implies that an alert triage process in in place and is not outsourced to, say, an MSSP.
  • Naturally, security incident response process can be intel-enabled and hence be improved …. but it implies a degree of security IR maturity and not just a “reimage and forget” process in place.
  • FInally, a well-cleaned TI feed can be directly dropped into preventative controls (firewalls, SWG/proxies, etc) … but – frankly – it won’t be INTELLIGENCE anymore, it would be a shared IP/DNS blocklist.

So, you need to make up your own mind, but it is entirely possible that many lower-maturity security organization CANNOT benefit from TI. As they said in the movie, “he is just not that into you” which here becomes “TI just isn’t for you.”

Given that in my work I encounter clients of very different levels of security operations maturity, maybe I should tag my blog posts with something like this:

sec ops maturity-marker

Otherwise, I get comments like “hire a team of 50 and this is easily solved” or “no real organization can ever do that”…

Blog posts related to threat intelligence:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Daya Puls says:

    My simple-minded understanding is that TI is not useful to an organization that does not understand their risks or does not monitor their corporate assets (i.e. they only monitor the firewalls on the DMZ). You know, getting climate reports for coastal flooding when my company in based in Colorado, USA. Sigh…

  • Darin Dutcher says:

    Careful, a feed does not equal intelligence…

    • Agreed, but we consider threat / indicator feeds to be A TYPE OF threat intel. So, feed != TI, but feed is a type of TI (we sometimes call it MRTI or tactical TI)

  • Jason Pender says:

    Great questions. I believe these organizations would be best leveraging TI services from regional MSSPs. At Jigsaw we are working with a number of these to build threat streaming and security analytics services for the mid market on our MISP based Elastic platform.