Security Experts:

Connect with us

Hi, what are you looking for?


Security Infrastructure

The Value of Threat Intelligence is Clear, But Are You Capturing It All?

Take Relevance Into Account When Analyzing Threat Data

Take Relevance Into Account When Analyzing Threat Data

Parents are nervous. High school seniors are nervous. It’s that time of year again when college decision letters and emails start to arrive. We all know there’s tremendous value in education, and a college degree is a pre-requisite for many career paths. But which school is the best fit? Will your child get the most value possible from his or her college experience? 

For each student, what defines and drives value from the college experience is different. It may be studying in an environment where they feel comfortable and can thrive; attending a university that offers a major in a field they want to pursue; having an opportunity to play the sport they love and excel in; or any number and combination of factors. 

Likewise, we all know there is tremendous value in threat intelligence, and various factors come into play to create value. 

The recent SANS 2018 Cyber Threat Intelligence Survey (PDF) finds 81% of cybersecurity professionals affirm that threat intelligence is providing value and helping them do their jobs better. The millions of threat-focused data points available, the many sources of global threat data we subscribe to, and the internal threat and event data from our layers of defense and SIEMs provide a significant amount of threat intelligence. But are we capturing all the value we can to truly strengthen our defenses and accelerate detection and response?

As I’ve said before, not all threat intelligence is equal. Threat intelligence that is of value to your organization, may not be of value to another. How do you get the most value from your threat intelligence? It comes down to relevance, and that’s determined by your industry/geography, your environment and your skills/capabilities.

Industry/Geography. Threat data focused on attacks and vulnerabilities specific to your industry and geography is much more relevant than generic data that includes threats that target a specific sector and/or region you are not in. External threat feeds such as those from national/governmental Computer Emergency Response Teams (CERTs) and Information Sharing and Analysis Centers (ISACs) organized by industry, can prove useful. Complementing the data in your central repository with data from these types of sources can help reduce noise and allow you to focus on threats occurring locally in your sector.

Environment. Depending on your environment or infrastructure, some indicators are more relevant than others. For example, if your workforce is highly distributed and endpoint protection is key, hashes are important because they enable you to detect malicious files on those devices. On the network, domain names and IPs are more relevant indicators allowing you to track suspicious traffic. To get the most value from your threat intelligence, you need tools that aggregate indicators in a central repository and allow you to augment and enrich them with context, so that you can prioritize and focus on those that matter most to you.  

Skills/Capabilities. The amount of skilled cybersecurity personnel you have in place also drives relevance. Larger organizations with more manpower have the resources to chase down threat data with two or even three degrees of separation (i.e., downstream IP addresses, domain registrants, etc). Whereas, organizations without those vast resources must be more selective, investigating only threat data that is active, targeting their industry or associated to known adversary sets. This is where automation and managed security services providers (MSSPs) can help to augment your existing staff and expertise. Automation can help aggregate millions of threat-focused data points into a central repository and translate it into a uniform format. It can also help overlay context by correlating external and internal threat data. You can apply automation to help filter out some of the noise, for example automatically prioritizing data based on parameters you set. MSSPs provide a menu of options – from serving as your entire team, to managing a specific aspect of your threat intelligence program, to providing high value and customized services like threat hunting or incident response.  

Every parent wants their child to get the most from their education and a lot of factors contribute to that outcome. Likewise, many factors contribute to the value that can be derived from threat intelligence. As you create your threat intelligence program, make sure you take relevance into account when analyzing threat data and you’ll be well on your way to capturing the full value of threat intelligence.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Threat Intelligence

Enhancing cybersecurity and compliance programs with actionable intelligence that adds insight can easily justify the investment and growth of threat intelligence programs.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...