on

Demystifying threat intelligence: part I

As threat intelligence (TI) continues to evolve and mature, some outdated preconceptions remain. Much of this can be ascribed to the growing spectrum of TI suppliers offering different variations of the same basic concept; no wonder many customers are unsure.

At one end, threat intelligence is pushing boundaries and enabling enterprises to achieve cybersecurity goals to the fullest extent; at the other, TI definitions from years past are still the currency in circulation.

Our next two blogs seek to clear up some of this confusion, helping demystify TI and clear up a few myths as the sector matures. Here are the first 5 of 10 points that today’s threat intelligence absolutely is not.

Threat intelligence is NOT raw data

Gartner’s 2019 definition of threat intelligence refers to “evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets.” It stands to reason: intelligence is wielded exclusively by the intelligent, informed and equipped. Lots of security-related raw data is just a starting point for TI. Dumping all that onto the enterprise customer is not what threat intelligence is all about. So, while TI ingests a lot of raw data, the output must always be actionable; boosting decision-making before, during and after a cyberattack.

Threat intelligence is NOT an avalanche of false positives

In the fight against cybercrime, there shouldn’t be such a thing as “too much data”. Alas, the sheer volume and fragmented nature of raw security information can lead to analysis paralysis as limited internal resources and skills struggle to process it into meaningful intelligence. TI can only alleviate this problem with high-quality, well-designed UX (user experience). Unfortunately, a lot of what gets called “threat intelligence” has poor UX, fatigues internal teams with false positives and desensitizes them to real, preventable threats. TI solutions that are worthy of the name harness automation to achieve speed and scale, with highly skilled and experienced human intervention added in to facilitate highly targeted, prioritized, actionable information. The result is far more efficient than the first generations of TI, and provides a solid platform for understanding return on investment.

Threat intelligence is NOT just a Threat Intelligence Platform (TIP)

TIPs are useful for aggregating threat intelligence from multiple sources, deduplicating overlapping data and undertaking correlation and enrichment. However, today’s TI capabilities go far beyond this, combining automated information gathering infrastructure – crawlers, sensors, honeypots, sinkholes and other tooling – with elite security analyst teams that facilitate contextualization and understanding of the intelligence in a unique hybrid model.

Threat intelligence does NOT operate in a silo

Used correctly, TI provides the necessary context to enhance decision-making in core security processes like incident response and policy enforcement. Rather than being disconnected and at arm’s length from other processes, this TI-based security approach is supported by deep integrations via APIs and plug-ins to SOAR, SIEM and other tooling. Threat intelligence is integral to cyber defense, enabling enterprises to address risks far upstream of their potential impact.

Threat intelligence does NOT need heavy cost

One of the hallmarks of a more mature market for threat intelligence solutions is a move away from vendor-led offerings and those that deliver functionality on a strictly ‘all or nothing’ basis. Healthy competition is good for keeping costs in check too, though be mindful of hidden charges and on the lookout for opportunities to spend less through volume subscriptions.

Among the most exciting recent developments is the emergence of greater threat intelligence modularity, allowing customers to build a bespoke TI arsenal via a SaaS approach that requires no technology to be installed or deployed on-premise. This approach allows enterprises to satisfy their own unique needs, maximize cost efficiency, minimize maintenance overheads and focus on rapid and measurable ROI.

What’s next?

Threat intelligence has become an exceptionally crowded marketplace and one that Blueliv has a unique perspective on, given our involvement over the last 10 years. Unlike the manually generated, report-centric services delivered on an all-or-nothing basis, Blueliv’s approach is refreshingly different; adopting a fully modular approach that allows customers to address individual use cases and achieve targeted ROI in a very easy to use way. And while Blueliv employs a large team of highly experienced security analysts to support unique customer needs and contextualize our threat intelligence solution, it’s our commitment to automated technology and processes that provides the necessary scale, speed and agility to deliver true value to threat prevention and incident investigation.

Stay tuned for the next blog post to help demystify the sector.

In the meantime, contact us to speak with an expert or download our Buyer’s Guide to Threat Intelligence free at the following link.

Demo Free Trial Community Newsletter