Threat intelligence is emerging as a topic of both interest and debate within the infosec community. The fact that there's interest probably isn't hard to understand in light of the growing volume of security related information organizations receive.
For the average security practitioner, information about threats arrives in a nearly constant stream via a hodgepodge of formats and channels -- emails from vendors, bulletins from a variety of sources, word of mouth from colleagues, news updates from the industry press and so on. The information supplied via these various updates covers a number of disparate topics, from specific vulnerability information to attacker tools and techniques to information about who's been attacked most recently.
Given this barrage, anything that promises to assist in navigating this information -- and making it more actionable -- is going to be of interest.
However, there's also some debate. While some industry pros view threat intelligence as a critical component of their security program, others think it's just another industry fad with comparatively little value.
Advocates of threat intelligence say that only by understanding the motives, methods and actions of attackers can we effectively defend against them; skeptics say security is all aboutthe fundamentals, and that anything that distracts from those fundamentals is noise.
Who's right? Both camps are. As with most things, value is subjective and mileage will vary from organization to organization. This is based in large part on organization-specific factors, including how it defines threat intelligence, the data the organization evaluates, the maturity of the shop in question and the use cases for the data.
Chief among the value considerations is integration with existing data and processes -- meaning, the value threat intelligence will or won't have depends on the degree to which it's integrated into other security-related processes and data.
Data that is reconciled with internal information and used directly to support existing processes is likely to be useful. Data that is siloed among a closed community (or that's "shunted" to places where operational staff can't make use of it) won't be useful.
As threat intelligence data proliferates and becomes more useful, some vendors are beginning to tie that data more closely to their internal security monitoring, which is often doen through security information and event monitoring (SIEM) systems. Security vendor Vigilant, for example, has created a set of tools that integrate SIEM with more than 40 different sources of threat intelligence, enabling enterprises to view both the external threat and its potential impact on internal security posture.
In terms of tactical integration, the goal isn't to replace other controls. Recall that most security organizations have already invested (in some cases heavily) in internally focused security capabilities and protection mechanisms. The goal is to funnel threat intelligence to these tools in order for them to function more effectively.
To read more about how organizations can tie threat intelligence to their internal security systems -- particularly security monitoring tools -- download the free report.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.