Connect with us

Hi, what are you looking for?


Security Infrastructure

The ART of Making Threat Intelligence Actionable

Actionable Threat Intelligence Enables a Proactive Approach to Cybersecurity, with Connectivity to the Entire Security Footprint

Actionable Threat Intelligence Enables a Proactive Approach to Cybersecurity, with Connectivity to the Entire Security Footprint

They say that finance is both art and science. Modern financial theories wouldn’t have been possible without science laying the groundwork for the statistical models and analysis. But human emotions and “gut” also play a huge role in financial decision making. Medicine is similar – while steeped in science, a physician’s intuition and judgement play heavily in personalized care. Cybersecurity is much the same.

As I discussed in my last article, there’s no lack of threat data that can be turned into threat intelligence by overlaying context and applying sophisticated analytics. But there’s also an ‘art’ to understanding what is meaningful to your organization and the best course of action to take. You have to consider the accuracy, relevance and timeliness of the intelligence.

Accuracy: Is the intelligence reliable and detailed?

Relevance: Does the intelligence apply to your business or industry?

Timeliness: Is the intelligence being received with enough time to do something?

These three attributes help define “actionable” intelligence. The catch is that you can really only have two of the three, so you need to determine what’s most important to your business. If you need intelligence as fast as possible to deploy out to your sensors, then accuracy may suffer and you might expect some false positives. If the intelligence is accurate and timely, then you may not have been able to conduct thorough analysis to determine if the intelligence is actually relevant to your industry or business. This could result in expending resources on something that doesn’t present a lot of risk. And creating comprehensive reports with extensive analysis to ensure reliability and relevance, could result in intelligence that’s received too late to be actionable, or may have become stale and no longer of value.

These tradeoffs and decisions are best made by humans working together. For example you may know you’re already protected against a certain type of malware, or that certain threats target systems you don’t have, or you may be willing to take your chances with a specific type of attack. Analysts’ judgement, intuition and institutional knowledge contribute to the art of making threat intelligence actionable.

Advertisement. Scroll to continue reading.

Ultimately, “actionable” is defined by the user. The SOC typically looks for IP addresses, domain names, and other indicators of compromise – anything that will help to detect and contain a threat and prevent it in the future. For the network team it’s about hardening defenses with information on vulnerabilities, signatures and rules to update firewalls, and patch and vulnerability management systems. The Incident Response team needs intelligence about the adversary and the campaigns involved so they can investigate and remediate.

Risk Management needs to understand the impact on data and other digital assets to align threat with vulnerability and the effect on the business or organization. And the executive team and Board need intelligence about threats in business terms – the financial and operational impact – in order to increase revenue, and protect shareholder value and the company as a whole. Analysts must work together and across the organization to provide the right intelligence in the right format and with the right frequency so that it can be used by multiple teams.

Actionable threat intelligence allows organizations to take a proactive approach to cybersecurity, with connectivity to the entire security footprint – feeding information to the sensor grid, SIEM, logs, and ticketing systems to strengthen defenses; back to the data sources and database to manage the quality of the data; and out to the breadth of business users to communicate risk. But it can only be achieved when humans and technology collaborate to bring science and art together.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.


Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon