How Much Threat Intelligence Is Too Much?
Turn your threat data into actionable intelligence by focusing on what is relevant to you and your organization.
“The definition of insanity is to do the same thing over and over and expect different results.”
– Albert Einstein
I believe there is a misconception in the security industry that if you add more threat intelligence, you’ll better protect your organization. As an industry, we have more and more data each day to comb through. All of this data is not actionable or intelligent without the ability to put context to it. Therefore, one approach that most organizations deploy for better context is to subscribe to various threat intelligence feeds to provide an early warning system of potential indicators of compromise (IoCs) in their environment. However, with a limited amount of money to pay for threat feeds and a finite amount of time and resources to analyze the data, just how much intelligence is too much?
What exactly do we mean by threat intelligence?
“Evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” – Gartner Research
In order for a threat to exist, there must be a combination of intent, capability, and opportunity. Without these three factors, the risk an organization faces isn’t critical at that time:
Intent is a malicious actor’s desire to target your organization
Capability is an actor’s means to do so (such as specific types of malware or exploit kits)
Opportunity