Connect with us

Hi, what are you looking for?


Threat Intelligence

Tackling the Challenge of Actionable Intelligence Through Context

Making threat intelligence actionable requires more than automation; it also requires contextualization and prioritization.

Actionable Intelligence Through Context

Recognition of the importance of threat intelligence has been building for years. But it has taken center stage as the acceleration of digital transformation and the shift to hybrid work models have expanded the attack surface, and geopolitical events have raised the stakes for defenders to protect critical infrastructure and sensitive data. Government leaders are pointing to threat intelligence sharing and best practices as key components that have helped strengthen cybersecurity and mitigate the impact of cyberwarfare.  

Recent surveys corroborate the value organizations place on threat intelligence, but also reveal challenges in making threat intelligence actionable. Based on discussions with 1,350 business and IT leaders, Mandiant’s Global Perspectives on Threat Intelligence report (PDF) finds that while nearly all (96%) respondents are satisfied with the quality of their threat intelligence, 47% struggle to apply threat intel throughout the security organization and 70% say at least a majority of the time they make decisions without adversary insights.

Automation can help make threat intelligence actionable. But making threat intelligence actionable requires more than automation; it also requires contextualization and prioritization, so that you are automating and taking action on the right data at the right time. To understand this better, let’s dig deeper into what respondents to the CRA study cite as their top use case for threat intelligence: vulnerability management.

The number of Common Vulnerabilities and Exposures (CVEs) climbed to 25,227 in 2022. However, at any given time only a small fraction of existing vulnerabilities is actively exploited or exploitable. And for any given organization, only a fraction of those vulnerabilities is utilized by threat actors and campaigns that may target that organization. So, how do you know what to focus on for your organization?

Imagine a Venn diagram where vulnerability management is one circle and intelligence from both internal and external sources for context is a second circle. The area of overlap is your area of risk and where you can prioritize vulnerabilities based on that context. It logically follows that you can also use context to prioritize mitigation, so you can optimize vulnerability management workflows and achieve the best outcomes for your organization.

In this case, context comes from information about the number of assets that are vulnerable, their criticality to the organization, if they are protected, if the vulnerability is being actively exploited, if threat actors are targeting your specific industry or region, and if indicators of compromise (IoCs) have been seen in your environment. These elements help you understand the likelihood of the vulnerability being exploited in your environment. External data on CVEs, indicators, adversaries and their methods, helps you understand the consequences of a vulnerability. When you aggregate and correlate internal context with external threat intelligence, you can prioritize vulnerabilities automatically based on parameters you set so the organization can take the right actions at the right time.

Advertisement. Scroll to continue reading.

For example, you might determine that a vulnerability needs to be addressed immediately because there are sightings of IoCs in your environment and the vulnerability is known to be actively exploited by threat actors targeting your specific industry or region. Or you may find that the vulnerability is not relevant to your industry and therefore less of a priority, but you still may decide to patch based on your risk profile. Or you may find the vulnerability is not being actively exploited so it doesn’t make sense to patch it now or initiate compensating controls, although you may continue to watch it.

In the absence of context, you could be patching vulnerabilities that are not being exploited actively, are low in priority or, even worse, patching something that negatively impacts operations. Threat intelligence can only be actionable with context and automation. And when used in combination will enable you to apply threat intelligence to achieve the best outcome for your organization. In this case, a shrinking list of vulnerable assets and a stronger secure posture, faster.

Related: Removing the Barriers to Security Automation Implementation

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Threat Intelligence

Enhancing cybersecurity and compliance programs with actionable intelligence that adds insight can easily justify the investment and growth of threat intelligence programs.