Connect with us

Hi, what are you looking for?


Incident Response

Using History to Overcome the Challenge of Threat Intelligence Data Overload

Applying Unfiltered Threat Intelligence to Defenses Generates Significant False Positives

Applying Unfiltered Threat Intelligence to Defenses Generates Significant False Positives

Spanish philosopher, George Santayana said, “Those who do not remember the past are condemned to repeat it.” If you’re reading this article then it’s likely you remember the early days of network security, when network teams relied on firewalls to handle emerging security requirements and the focus was on basic blocking and tackling. We soon started to experience the overwhelming management challenge of navigating logs with too much data to sort through to find real threats, but we did our best to keep up. 

As threats continued to evolve, we added more layers of security like intrusion detection and prevention and antivirus. With additional point solutions, fragmentation proliferated and the data and noise level magnified – along with false positives that plagued the industry. Over the next few years the market continued to mature and security became a discipline in its own right. Companies formed teams of security experts and new technologies emerged to provide context, automate certain aspects and prioritize action within the environment. More recently, we’ve started to see a movement towards integration and consolidation to reduce complexity and facilitate automation. But since these efforts are mostly vendor-centric, they often come at the expense of easily incorporating truly best-of-breed point solutions into your security infrastructure.

History is now repeating itself with threat intelligence at a similar inflection point – too much data and too many false positives. As organizations hone in on threat intelligence as a cornerstone to their security posture, they are creating their own Security Operations Centers, incident response capabilities and threat intelligence teams. These experts are seeking ways to use threat intelligence to understand and act upon the highest priority threats facing their organization. The challenge is they have multiple data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors – each in a different format. On top of that, each point product within their layers of defense has its own intelligence. Lacking the tools and insights to automatically sift through mountains of data, it just becomes noise. Forging ahead and trying to apply unfiltered threat intelligence to our defenses generates significant false positives.

Harnessing the power embedded in disparate sources of threat data requires aggregating massive volumes of data in a central repository, and translating it into a uniform format for analysis and action. You then need to augment and enrich it with additional internal and external threat and event data. By correlating events and associated indicators from inside your environment with external data on indicators, adversaries and their methods, you gain additional and critical context and relevance so that you can prioritize threats to your organization.

As we have learned from the evolution of network security, integration, context and prioritization is what will allow us to get more from our existing security investments and operationalize security. In the case of threat intelligence, integration done right will allow you to act on threat intelligence efficiently and effectively using your existing security tools and services. This includes, but is not limited to, SIEMs, log repositories, ticketing systems, incident response platforms, and orchestration and automation tools. Integration that is open and extensible so that it can be truly vendor-agnostic allows you to unlock the full potential of your curated threat intelligence to address the threats the matter most to your organization quickly. 

The lessons we’ve learned from network security around the challenges of fragmentation; the importance of context, automation and prioritization; and the caveats around integration can be applied to the evolution of threat intelligence. By seeing the parallels and applying them swiftly we can get on a faster path toward sharing intelligence, integrating defenses and coordinating response across all resources and the entire security infrastructure. Only then have we realized the benefits of operationalizing threat intelligence – improving security posture and reducing the window of exposure to breach.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.