Five tips on how to select your threat intelligence solution
Traditional defenses have proven insufficient in protecting organisations from adversaries who are increasingly exploiting the digital shadows of organisations to launch targeted attacks. Now, more than ever, organisations are seeking to understand which actors pose a viable threat to their assets and business operations. As a result, many are taking the next step in their journey to strengthen their defenses by turning to cyber threat intelligence. But what exactly is cyber threat intelligence?
There are many different definitions of cyber threat intelligence and, as a result, varying expectations of what cyber threat intelligence can do. One of the most straightforward definitions comes from the CBEST Threat Intelligence Framework paper that says, “Information about threats and threat actors that provide relevant and sufficient understanding for mitigating the impact of a […] harmful event.”
The number of definitions nearly exceeds the number of new information security firms offering cyber threat intelligence. In fact, a new report by Forrester Research, Vendor Landscape: S&R Pros Turn to Cyberthreat Intelligence Providers for Help, includes 20 cyber threat intelligence vendors. This underscores the rising prominence of cyber threat intelligence as a security tool, as well as potential for confusion when selecting a vendor.
As a security and risk professional, how do you navigate your way through these murky waters and choose a cyber threat intelligence solution that will best meet your needs? As with many areas in security, there is no silver bullet for cyber threat intelligence.
- As with many areas in security there is no silver bullet for cyber threat intelligence
- Look for providers that use combination of high volume and curated cyber threat intelligence to increase accuracy of their intelligence
The following five tips can help you be judicious when assessing the market and your options.
#1 Varied sources
Volume and variety of sources are among the most important characteristics of a threat intelligence provider. A provider that covers many sources, millions rather than thousands of unique domains, will reduce the chance of threats going unnoticed. Multilingual support across Web and Internet services, public and private forums and a range of media types, such as IRC chats, email and video, is also important. To get the best coverage you may likely need to work with multiple providers.
#2 False alarms
Broad coverage must be balanced against the accuracy of alerts. Look for a provider that uses a combination of high volume cyber threat intelligence and curated and tailored cyber threat intelligence to increase the accuracy of the intelligence.
#3 Receive alerts
Accuracy is important, but if the information is received too late it may be irrelevant or not actionable. Look for vendors who can provide immediate alerts and can access data from previous years which can provide valuable clues and early insights into potential events.
No matter how advanced an offering may be no single vendor can satisfy all your needs. Any provider must be able to demonstrate the ability to use APIs to integrate with other solutions and with sharing communities such as FS ISAC and CISP. Support for standards such as OpenIOC and STIX is also important, as well as integration with threat intelligence platforms like ThreatConnect and ThreatQuotient.
#5 Tailored service
The most valuable intelligence is specific to your organisation and assets, not simply to your geography and sector. So as not to be overwhelming, there should be a mechanism in place to prioritise alerts. A provider that also offers formal feedback processes can use that information to further tailor the service to your needs.
Cyber threat intelligence is critical for organisations that want to gain a comprehensive, tailored and relevant view of the potential threats and types of attackers that could be targeting them. But attackers never rest and neither can organisations in their quest for better threat protection and risk mitigation.
Alastair Paterson is the CEO and Co-Founder of Digital Shadows.