Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Threat Intelligence is Not Intellectual Property

The breadth and depth of threat intelligence is a primary differentiating factor for security vendors is a widely held assumption in the security industry that we collectively need to disprove and change our perspective on.

The breadth and depth of threat intelligence is a primary differentiating factor for security vendors is a widely held assumption in the security industry that we collectively need to disprove and change our perspective on.

When vendors and individuals attempt to keep threat intelligence private, they limit the ability of the entire group to identify and mitigate new threats as they are developed and launched against organizations. The days when IPS signatures and host-based anti-malware products were enough to secure your network are long gone. Sophisticated adversaries are constantly deploying new methods of evading detection. Whether this is in the form of new exploits, rapidly changing malware, or new attack vectors, it is clear that successful data breaches continue to escalate.

The velocity of attacks, both in volume and method, also continues to increase—meaning the quicker your security solutions gain access to relevant intelligence, the safer you become. Specifically, your solutions must be able to turn indicator sets on campaigns and adversary groups into new prevention mechanisms to stop attacks. This is an important distinction, as malware is so easily changed, that simply adding new signatures that look for a specific file is not nearly enough. In contrast, Indicators of Compromise (IOCs), such as the IP address for an attacker’s command-and-control communication infrastructure, are common across entire campaigns or attack groups.

Threat Information Sharing

When looking at the common language of threat intelligence, security vendors often fall into the “big numbers” trap, where they tout how they have “billions” or even “trillions” of events. That is often the easy way out, and doesn’t actual provide insight into how relevant or valuable these events are. They certainly sound impressive when projected on a big screen during a conference, but many are likely commodity indicators on the common attacks everyone already knows about. While breadth of intelligence is important, even the largest sensor network in the world is limited by its very nature. It only has insight into the events it can directly observe, from members of the collective.

To illustrate this point, let’s play the math out:

• Medium-sized security vendors have 30,000 customers each. Let’s assume for the sake of simplicity that there are twenty of these in the world. This means there is the potential for these twenty vendors to be receiving intelligence from 600,000 users on the threats they are observing.

• Large security vendors have 100,000 customers each, and let us assume there are five of them. In total, these large vendors could be receiving data from 500,000 customers.

In this scenario, there are 1.1 million potential customers who could be contributing intelligence to help protect other organizations. The problem is that no security vendor is seeing more than 11 percent of the total intelligence being created! In the real world, there are of course even more organizations providing security solutions, meaning these numbers are orders of magnitude larger.

As a security leader, what if your vendor told you they could only stop 10% of all possible attacks? Would you be satisfied with that response? This is essentially what the industry’s response has been up until this point. Now consider the value security vendors could provide to the security community if they shared threat intelligence in a free and open manner. The attackers do not care which product you have protecting your network, and your security posture should not be limited by this. This is not to say every vendor will be equal in terms of innovation and ways to implement this common intelligence to prevent attacks, but we should judge them on those metrics, versus the size of their database.

In order to change this belief, we must push for change. The next time you are talking with your vendor of choice, ask them the following question:

• Are they sharing threat intelligence with their peers?

• Can they create new protections from shared intelligence?

• Are they members of industry-level threat intelligence sharing groups?

• How are they working with government entities to share data between public and private?

There are some organizations attempting to pioneer this new way forward, including the Cyber Threat Alliance, founded by Fortinet, Intel Security, Palo Alto Networks, and Symantec, and at an industry peer level with the ISACs. In addition to helping push vendors to change, consider how you can joint these types of organizations, and share intelligence with your peers.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...