There is No Threat Intelligence Type That Is Objectively Better Than Others
In May 2019, Flashpoint CEO Josh Lefkowitz shared in SecurityWeek tips for evaluating threat intelligence vendors that cover the deep and dark web. While indeed helpful for those who seek such services, as I have established in my previous coolumn, not every company actually needs deep and dark web monitoring. Therefore, I wanted to look at the entire threat intelligence space and provide some thoughts on how to evaluate the best vendors for you. After all, the offerings of the vendors in this space can vary dramatically in concept and execution, many have nothing to do with the dark web yet their intelligence can be crucial to many organizations.
Understanding What You Need is Key
Threat intelligence is a term that is used to cover quite a few different offerings, all with the common denominator that the deliverables contain data that should be helpful in improving the overall security posture of the organization. This means that “Threat Intelligence” can be a blacklist of known malware servers, mentions in dark web discussions, or identifying that a threat actor has registered a domain very similar to the company’s. Data provided as part of threat intelligence deliverables can range between generic and customer-specific, FYI and actionable, broad and very specific, raw data and fully analyzed, and various other aspects. To make matters even more complex, some threat intelligence offerings focus on proactively identifying potential threats and reporting on them, while others focus on enriching information already in possession of the customer. For example, if a SOC has identified an incident involving an IP address and wants to receive more information on that IP address. Proactive identification of threats and enriching data are two completely different use cases that provide value in different parts of the security operations.
There is no threat intelligence type that is objectively better than the others. It really depends on the needs each organization – a certain security operation may specifically want the ability to receive intelligence on IP addresses or domains that they see during incident investigation, while others may want to focus on bolstering their malware detection or identifying external threats. The first stage before evaluating intelligence vendors is identifying where you need threat intelligence to support your operation. It is most likely that there are several use cases for threat intelligence in your operation and if that is indeed the case, since budget is limited, a priority should be given to each. This is very much affected by the organization’s type (a B2B manufacturer is exposed in different ways than a B2C company with an e-commerce site), size, and security maturity. Once these use cases are identified and prioritized, the most relevant vendors can be picked out and evaluated.
Execution
Not only do threat intelligence offerings vary in concept, but they can vary in their execution as well. Two vendors that offer the same type of intelligence can be dramatically different in terms of deliverables and overall performance. There are several aspects that are important to evaluate in any threat intelligence offering.
First, is coverage. No matter if the provided intelligence is dark web discussions, similarly registered domains, rogue mobile applications, or malware IOCs, it is important for a vendor to have the best coverage possible. The better the coverage, the lower the chances are that a crucial finding would be missed. That said, it is important to stress out that there isn’t a single vendor that has 100% coverage (or even close to it) and it would be incredibly rare for two vendors to have the exact same coverage.
The second aspect that is important to evaluate is the number of false positives. Even if a service provides great findings, but for every true positive there are a thousand false positives your analysts need to go over, then it is not a very good service. The amount of effort required by your team to obtain value from the intelligence should be a primary metric. Generating a lot of false positives at the beginning of the service or trial is not a cardinal sin, what’s important is how easy it is to fine-tune the intelligence generation process in order to get things balanced, where the filtering is good enough not to generate too many false positives on one hand but not miss any true positives on the other.
The last aspect is the technology. How do you receive the deliverables? is there a dashboard? what features does it have? how easy is it to set things up? is there an API? all these questions can be very important, as your team is going to be reliant on the vendors that you pick, so work has to be as simple and effective as possible. Relevant integration options are a major plus, as “dashboard fatigue” is an ever-growing issue in security teams.
Cost
Just as threat intelligence varies in concept and execution, so do the price points of the available services. Pricing can be a key issue, not only in determining whether a certain service can be afforded, but also in defining the entire threat intelligence strategy.
Some vendors, mostly the larger ones, try to be a one-stop-shop, offering dark web, malware IOCs, data enrichment and more, all under the same roof. They use their vast resources to try and cover all the different aspects of threat intelligence so their offering would be relevant no matter what you look for. Other vendors may focus on certain niches where they have a specific proficiency.
Going back to my point that no vendor has 100% coverage, it is recommended to consider a multi-vendor strategy. This way, you are both covering more sources and it also allows you to better compare what you are getting in the areas that do overlap. If you apply this strategy, you can then find the mix that is right for you in terms of vendor coverage (its variety and depth).
The threat intelligence space is filled with great vendors who can provide organizations with a lot of value in helping them protect their brand, employees and customers. As with any purchase, it is important to make the one that is most suitable to your specific needs. The space is also abundant with innovation and disruptive companies, so it is recommended to always be open to trying out new offerings.
Related: How Strategic Cyber Threat Intelligence Fits Into Your Security Program
Related: Five Steps to Turn Threat Intelligence into a Threat Operations Program
Tags:
