5 Reasons Why Threat Intelligence Doesn't Work

Cybersecurity folks often struggle to get threat intelligence's benefits. Fortunately, there are ways to overcome these problems.

Jonathan Zhang, CEO/Founder of WhoisXML API and TIP

November 7, 2018

5 Min Read

Offense is the best defense. To defend well, we must take the initiative. When we are aware, we can prepare. Whatever the motto of your cybersecurity team, fighting cybercrime requires keeping an ear to the ground to anticipate threats.

That's what threat intelligence is all about, isn't it? Identifying and mending the weak spots of corporate IT infrastructure before someone maliciously exploits them instead. At least that's what the theory says. And many organizations are buying into it as global spending in threat intelligence services will surpass $1.4 billion in 2018 — up from $905.5 million in 2014.

The problem is, CSOs and cybersecurity folks often struggle to understand threat intelligence's benefits. Let's examine the reasons why and who's to blame — and how to move beyond those problems.

1. Mismatch with Particular Cybersecurity Needs.
Cybersecurity teams sometimes see threat intelligence as the quick fix that will protect them from hackers and scammers. This expectation is largely overinflated. The fact is, there is no such thing as one-size-fits-all threat intelligence.

Instead, threat intelligence solutions must be implemented as per the particular security needs of each organization, suborganizations, or even department — or all that's being achieved is accumulating irrelevant data that gives a false sense of security.

A financial services company, for example, probably wants to pay close attention to website forgery and malicious contact forms aimed at deceiving targets into revealing their credit card and bank account numbers.

A pressing concern for technology providers, in parallel, is making sure proprietary information (such as trade secrets and R&D advancements) do not fall into the wrong hands, be it due to email spoofing, poor encryption, or malware.

2. No Resources to Act Upon Threat Intelligence
Say that you have access to insights. How do you intend to use that information to respond to threats coming your way? The reality is that 44% of daily security alerts are never investigated, and threat intelligence data may end up unutilized, too, for a variety of reasons.

It could be that nobody in the organization knows how to interpret what they're looking at, much less act on it. Or they may lack leadership's commitment to the cause and the corresponding budget needed to lift up defenses.

Either way, knowing there is something wrong without understanding security flaws or having the means to resolve the situation does not reduce the prevalence or intensity of cyberattacks.

To overcome that gap, it's advisable to get C-level sponsors who are ready to allocate resources to train relevant employees about threat intelligence's working practices and the concrete steps for tackling flagged vulnerabilities.

3. Treating Threat Intelligence Like Any Other Cybersecurity Effort
There is an undeniable connection between threat intelligence and other cybersecurity initiatives. Threat intelligence is here to provide direction to security awareness undertakings, spot server misconfigurations, and stay on top of new forms of malware, among other things.

Following that train of thought, it is easy to assume that any security professional is ready to handle threat intelligence like a pro. However, there is a significant disparity in orientation and methodology.

More than anything else, threat intelligence is the job of an analyst whose expertise helps make sense of the big picture and establish a cybersecurity road map for proactive threat prevention and interception. That's much unlike the role of an incident response specialist trained to be reactive and respond to individual threats as they occur.

Acknowledging the discrepancy is essential, and that means responsibilities may need to be redistributed within cybersecurity teams — potentially dedicating someone to monitoring threats as they emerge in light of existing and recently acquired online assets.

4. Failing to Integrate Threat Intelligence
How can you make sure that your cybersecurity staff uses threat intelligence insights? The quickest path to product adoption is often by linking innovations to what users already know, and threat intelligence is no exception.

In fact, it's essential to connect threat intelligence and its data feeds to commonly deployed software such as, for example, security information and event management applications. Doing so will speed up implementation and make insights more accessible as part of a comprehensive cybersecurity program.

Lack of integration, on the other hand, not only makes threat intelligence less effective, it also adds to the workload of cybersecurity teams that need to manually assemble and compare data from yet another source to assess the infrastructure's well-being.

5. Disregarding the Lingo of Threat Intelligence
Depending on whom you ask, threat intelligence can mean different things, and its corresponding language can vary significantly. Fail to account for this and stakeholders at various levels of the organization may quickly get lost in translation.

When senior managers talk about threat intelligence, chances are that the focus will be on high-level decision-making. Where should this financial year's security budget be spent? Which technology vendors should be kicked out for not being compliant with corporate security policies?

But sit with cybersecurity analysts and the conversation will quickly take a technical turn. Are our SSL certificates up to date? Shall we better connect to that malware database to stay on top of ransomware attacks? What are the top 100 websites employees interact with on a daily basis?

Through internal communications and awareness initiatives, it's necessary to ensure interested parties become aware of the different perspectives threat intelligence can take. In general, these can be broken down into two levels, one being concerned about strategic undertakings such as M&A and long-term partnerships, and the other about operational matters — e.g., the reinforcements, fixes, and configurations of websites, servers, and applications.

Threat intelligence, like any other new practice, comes with its load of promises and benefits — most of which have seduced CSOs and their security teams. Misconceptions and misunderstandings like the ones discussed in this post, however, will keep on delaying threat intelligence's full-blown deployment and potential to tackle cybercrime.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

About the Author(s)

Jonathan Zhang

CEO/Founder of WhoisXML API and TIP

Jonathan Zhang, CEO/Founder of WhoisXML API and TIP, is a serial entrepreneur in the infosec industry and the founder of whoisxmlapi.com and threatintelligenceplatform.com. He has vast experience in building tools, solutions, and systems for CSOs, security analysts, and third-party vendors, and he enjoys giving practical tips for better threat detection and prevention.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights