Recently, Forrester analyst Rick Holland brought up the point of quality vs. quantity when it comes to threat indicators. We agree, the focus should never be on the quantity of data, it should be on the quality of data. So the question becomes, where and how can you gather or make sense of this quality threat intelligence?
As an industry, we need to work together to understand threat data better. Everyone needs quality data to make decisions. Just like marketing departments need quality data to determine who to market (and sell) to; the SOC, IR, threat, and network defense teams need quality data to make decisions to better protect their infrastructure. People don’t need more data, they need more quality data. This data can come from a variety of places: internal, partners, industry groups and affiliations, open source, and premium paid. In all these cases, the goal is to aggregate them to better understand risk to the organization. Understanding the data is key, and that is where a Threat Intelligence Platform (TIP) comes in. While data providers sell data, platforms organize and make sense of the data, while interfacing with solutions to take action once the data is properly analyzed.
Indicators are core to both threat intelligence data and Threat Intelligence Platforms. ThreatConnect is not a Threat Intelligence provider, in that we do not sell data to our customers. Instead, our software uses open and premium data from some of the best Threat Intelligence providers in the market. Our priority is creating a Threat Intelligence Platform that allows users to make sense of the data and what it means for a specific organization. There is no corporate interest in “one upping” anyone in an old school “my Threat Intel can beat up your Threat Intel” footrace. We focus on delivering quality software that simplifies the production and usage of threat intelligence within the enterprise.
Organizations that are making investments in threat intelligence should not get distracted by numbers of indicators provided within the solution they are evaluating. Without quality indicators, and more importantly, some way of making sense of them, adding more is not going to help. The most valuable indicators are those that are most relevant to your organization. The ability to determine relevance of indicators comes from understanding the data from within your own network. As a matter of fact, often the most valuable indicators come from intelligence gleaned from your own network’s activity and past incidents. Another typically highly relevant source of intelligence comes from collaboration with others - both internal and external through industry communities and other trusted groups. Combine this with the use of external sources that can enrich your understanding of the how, why, and who of an attack pattern, and you have a much clearer picture of the threat and a more sophisticated level of understanding threat intelligence. Although some organizations can do this by hand, it is an arduous process. The best approach is to use a Threat Intelligence Platform to aggregate, analyze, and act in support of threat intelligence driven security operations.
We look forward to discussing the value of a Threat Intelligence Platform, and the benefits of having a platform to understand and work with quality data during the SANS CTI Summit next week. See you there!