Security Experts:

Connect with us

Hi, what are you looking for?


Security Architecture

Are You Getting the Most from Your Threat Intelligence Subscription?

The Value of Knowing More About Threats is Limited When it Cannot be Applied to Prevent Threats 

The Value of Knowing More About Threats is Limited When it Cannot be Applied to Prevent Threats 

Thanks to how connected the Internet has made us all, including cyber attackers, stolen user credentials and easy to obtain, automated tools for conducting cyberattacks are available to anyone with a Bitcoin account. This has led to a rise in the number of network breaches and their financial impact. Last year, the Ponemon Institute reported an 82 percent increase in the cost of cyberattacks over the last six years. In light of this, organizations are looking to increase their knowledgebase of threat intelligence data to better equip their security teams with the latest information on new and existing attack methods and how to stop them.

Many organizations, in order to ensure they getting as much intel as possible, subscribe to multiple threat intelligence feeds and spend hundreds of thousands of dollars every year on subscription fees. But in the rush to sign up for the latest and greatest threat subscription, my guess is that most organizations don’t have a good plan for ensuring the information from their multiple feeds can be turned into new protections within their security devices, meaning the ROI for their subscription payments may be extremely low.

Threat Intelligence Feed

The value of knowing more about threats is limited when it cannot be actually applied to prevent threats. Not only his, but even when a solid plan exists for ingesting data into the system, it often requires additional headcount, layering on further cost and complexity.

Additionally, multiple subscriptions mean multiple daily threat updates, many of which may be redundant. These redundancies can lead to wasted time as security teams try to consolidate the information received from multiple sources into their existing security architecture. This consolidation is further complicated by the fact that different feeds often present their threat findings in different ways, forcing security teams to spend more time getting the feeds translated into a common format that can be used by their existing security infrastructure.

In an effort to be thorough and to limit their liability, most threat intelligence feeds tend to report each new cyberthreat as a serious security risk, which is simply not the case. In actuality, the vast majority of threats listed in a threat intelligence subscription’s daily report are common, commodity attacks that are already “known,” and can easily be dealt with by existing security systems. When all threats are classified as serious, security teams have little context to work from as they try to analyze inbound threats and triage them in order of risk potential. Further complicating the situation is the fact that with some slight changes to the malware, cyberattackers can make existing threats appear to be “new,” when in reality they are from the same malware family. For traditional feeds, even the slightest change would result in another alert, even though only the filename, hash, or some other easily changed variable has shifted.

In light of the problems mentioned above, I would encourage organizations using threat subscriptions to take a moment and ask themselves the following questions:

1. If using multiple threat subscriptions, does the security team know how much redundancy exists between them?

2. Is it easy to integrate the intelligence received from my subscriptions into my existing security infrastructure? Can the security team evaluate inbound threat intelligence and convert it into an actual security policy quickly and without the need for manual configuration?

3. Do my threat subscriptions provide enough information to put the severity of each threat in the proper context?

4. Does my threat subscription track cyberthreats specifically targeting my industry?

If the answer to any of these questions is no, then I would argue that a more in depth audit of current threat intelligence subscriptions needs to be conducted. In addition, I would also recommend organizations find out how they can automate the application of threat intelligence to their security architecture. This would allow most threats to be resolved in real time and without the need for slower, more costly human intervention.

Adding threat intelligence to your security posture is a strong solution for keeping a network protected against new and existing cyberthreats, but only if an organization takes the necessary steps to quickly and easily apply that intelligence to actual security policy.

Related Reading: Distinguishing Threat Intelligence From Threat Data

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...