Connect with us

Hi, what are you looking for?


Security Architecture

Are You Getting the Most from Your Threat Intelligence Subscription?

The Value of Knowing More About Threats is Limited When it Cannot be Applied to Prevent Threats 

The Value of Knowing More About Threats is Limited When it Cannot be Applied to Prevent Threats 

Thanks to how connected the Internet has made us all, including cyber attackers, stolen user credentials and easy to obtain, automated tools for conducting cyberattacks are available to anyone with a Bitcoin account. This has led to a rise in the number of network breaches and their financial impact. Last year, the Ponemon Institute reported an 82 percent increase in the cost of cyberattacks over the last six years. In light of this, organizations are looking to increase their knowledgebase of threat intelligence data to better equip their security teams with the latest information on new and existing attack methods and how to stop them.

Many organizations, in order to ensure they getting as much intel as possible, subscribe to multiple threat intelligence feeds and spend hundreds of thousands of dollars every year on subscription fees. But in the rush to sign up for the latest and greatest threat subscription, my guess is that most organizations don’t have a good plan for ensuring the information from their multiple feeds can be turned into new protections within their security devices, meaning the ROI for their subscription payments may be extremely low.

Threat Intelligence Feed

The value of knowing more about threats is limited when it cannot be actually applied to prevent threats. Not only his, but even when a solid plan exists for ingesting data into the system, it often requires additional headcount, layering on further cost and complexity.

Additionally, multiple subscriptions mean multiple daily threat updates, many of which may be redundant. These redundancies can lead to wasted time as security teams try to consolidate the information received from multiple sources into their existing security architecture. This consolidation is further complicated by the fact that different feeds often present their threat findings in different ways, forcing security teams to spend more time getting the feeds translated into a common format that can be used by their existing security infrastructure.

In an effort to be thorough and to limit their liability, most threat intelligence feeds tend to report each new cyberthreat as a serious security risk, which is simply not the case. In actuality, the vast majority of threats listed in a threat intelligence subscription’s daily report are common, commodity attacks that are already “known,” and can easily be dealt with by existing security systems. When all threats are classified as serious, security teams have little context to work from as they try to analyze inbound threats and triage them in order of risk potential. Further complicating the situation is the fact that with some slight changes to the malware, cyberattackers can make existing threats appear to be “new,” when in reality they are from the same malware family. For traditional feeds, even the slightest change would result in another alert, even though only the filename, hash, or some other easily changed variable has shifted.

In light of the problems mentioned above, I would encourage organizations using threat subscriptions to take a moment and ask themselves the following questions:

1. If using multiple threat subscriptions, does the security team know how much redundancy exists between them?

Advertisement. Scroll to continue reading.

2. Is it easy to integrate the intelligence received from my subscriptions into my existing security infrastructure? Can the security team evaluate inbound threat intelligence and convert it into an actual security policy quickly and without the need for manual configuration?

3. Do my threat subscriptions provide enough information to put the severity of each threat in the proper context?

4. Does my threat subscription track cyberthreats specifically targeting my industry?

If the answer to any of these questions is no, then I would argue that a more in depth audit of current threat intelligence subscriptions needs to be conducted. In addition, I would also recommend organizations find out how they can automate the application of threat intelligence to their security architecture. This would allow most threats to be resolved in real time and without the need for slower, more costly human intervention.

Adding threat intelligence to your security posture is a strong solution for keeping a network protected against new and existing cyberthreats, but only if an organization takes the necessary steps to quickly and easily apply that intelligence to actual security policy.

Related Reading: Distinguishing Threat Intelligence From Threat Data

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...