Balancing the Sharing of Information

CyberSecurity Journal

Subscribe to CyberSecurity Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get CyberSecurity Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Security Authors: Ambuj Kumar, Shelly Palmer, Slavik Markovich, Elizabeth White, Greg Ness

Related Topics: Cloud Computing, Security Journal, CyberSecurity Journal

Blog Feed Post

Context (& Quality) Is King with Threat Intelligence By @AdamDVincent [#Cloud]

As an industry, we need to work together to understand threat data better

Recently, Forrester analyst Rick Holland brought up the point of quality vs. quantity when it comes to threat indicators. We agree, the focus should never be on the quantity of data, it should be on the quality of data. So the question becomes, where and how can you gather or make sense of this quality threat intelligence?


As an industry, we need to work together to understand threat data better. Everyone needs quality data to make decisions. Just like marketing departments need quality data to determine who to market (and sell) to; the SOC, IR, threat, and network defense teams need quality data to make decisions to better protect their infrastructure. People don’t need more data, they need more quality data. This data can come from a variety of places: internal, partners, industry groups and affiliations, open source, and premium paid. In all these cases, the goal is to aggregate them to better understand risk to the organization. Understanding the data is key, and that is where a Threat Intelligence Platform (TIP) comes in. While data providers sell data, platforms organize and make sense of the data, while interfacing with solutions to take action once the data is properly analyzed.

Indicators are core to both threat intelligence data and Threat Intelligence Platforms. ThreatConnect is not a Threat Intelligence provider, in that we do not sell data to our customers. Instead, our software uses open and premium data from some of the best Threat Intelligence providers in the market. Our priority is creating a Threat Intelligence Platform that allows users to make sense of the data and what it means for a specific organization. There is no corporate interest in “one upping” anyone in an old school “my Threat Intel can beat up your Threat Intel” footrace. We focus on delivering quality software that simplifies the production and usage of threat intelligence within the enterprise.

Organizations that are making investments in threat intelligence should not get distracted by numbers of indicators provided within the solution they are evaluating. Without quality indicators, and more importantly, some way of making sense of them, adding more is not going to help. The most valuable indicators are those that are most relevant to your organization. The ability to determine relevance of indicators comes from understanding the data from within your own network. As a matter of fact, often the most valuable indicators come from intelligence gleaned from your own network’s activity and past incidents. Another typically highly relevant source of intelligence comes from collaboration with others – both internal and external through industry communities and other trusted groups. Combine this with the use of external sources that can enrich your understanding of the how, why, and who of an attack pattern, and you have a much clearer picture of the threat and a more sophisticated level of understanding threat intelligence. Although some organizations can do this by hand, it is an arduous process. The best approach is to use a Threat Intelligence Platform to aggregate, analyze, and act in support of threat intelligence driven security operations.

We look forward to discussing the value of a Threat Intelligence Platform, and the benefits of having a platform to understand and work with quality data during the SANS CTI Summit next week. See you there!

Read the original blog entry...

More Stories By Adam Vincent

Adam is an internationally renowned information security expert and is currently the CEO and a founder at Cyber Squared Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security. The culmination of this knowledge has led to the company’s creation of ThreatConnect™, the first-of-its-kind threat intelligence platform. He currently serves as an advisor to multiple security-focused organizations and has provided consultation to numerous businesses ranging from start-ups to governments, Fortune 500 organizations, and top financial institutions. Adam holds an MS in computer science with graduate certifications in computer security and information assurance from George Washington University. Vincent lives in Arlington, VA with his wife, two children, and dog.