Security Experts:

Connect with us

Hi, what are you looking for?


Security Infrastructure

Your Threat Intelligence Has a Shelf Life

Smart refrigerators can monitor your food and alert you when it is about to expire. There are apps that do this as well, keeping track of food freshness using a database to predict expiration dates. These are great ways to help make sure you use food before it goes bad, and avoid getting sick by consuming something that’s past its shelf life.  

Smart refrigerators can monitor your food and alert you when it is about to expire. There are apps that do this as well, keeping track of food freshness using a database to predict expiration dates. These are great ways to help make sure you use food before it goes bad, and avoid getting sick by consuming something that’s past its shelf life.  

Your threat intelligence has a shelf life too. But with data overload that comes from multiple data feeds and the hundreds, thousands or potentially millions of indicators they generate every day, many organizations don’t know where to begin to define a threat data lifecycle or expiration strategy. There’s no smart fridge or app. In fact, there’s not even a well-defined, industry standard on how to expire threat intelligence. But there are strategies you can use and continue to refine as your threat operations program matures.

An entry-level strategy

To begin, consider two core attributes of your intelligence – source and indicator type. Tying expiration to source alone is not enough because this assumes that all intelligence from a source is created equally, which simply isn’t true. Combining source and indicator type will provide a more complete view of your intelligence.

By considering source you can ensure you understand where your data is coming from – an important baseline for any strategy. And, since all intelligence has a source, it’s a way to make sure that you are including all the intelligence you’re consuming in your expiration policy, which is essential for success. Source also helps you to take into account the confidence you have in that source and the quantity of intelligence the source distributes, which is important for predictability.

Indicator type is important because it speaks directly to your local environment as the indicator type determines which tools the intelligence is distributed to.  This is critical because different tools can consume different volumes of intelligence.

Starting with these two parameters is a great way to get the team on the same page. It is easy to compute, easy to understand, and introduces a multi-dimensional capability allowing teams to weigh and rank source and indicator type.

Refining your expiration strategy

Once your team is comfortable with source and indicator type, you can consider expanding your model to include applying “aging algorithms” to the intelligence. The entry-level strategy uses a linear approach and assumes that intelligence deteriorates at a uniform rate. But we know this isn’t true across the board. Different pieces of intelligence have different lifecycles. Aging algorithms use various methods to account for this.

For example, some types of intelligence deteriorate rapidly over a short period of time and then slow down. This type of intelligence is meant to be operational for hours or days at the most. Open source intelligence typically falls into this group, because even the bad guys monitor it to determine when they have been discovered and their probability of success exponentially decreases. 

Some intelligence should never expire. For instance, although some domains and infrastructure tied to previous malicious activity might not pose an immediate threat, history shows it will always be a threat. Intelligence associated with certain adversaries may also be non-expiring because you know that at some point they will likely re-use that infrastructure.

Still other pieces of intelligence are likely to be relevant for a longer period of time before dramatically decaying. Information provided by commercial feeds, ISAC consortiums, internal intelligence collection or gleaned from other sharing communities will likely fit this paradigm.

Even as you add more sophisticated aging metrics to your approach, to be effective and successful an expiration strategy must be simple, reliable, relatively predictable and easy to adjust. But most importantly, it must be applied to all intelligence so that you can make sure you use it before it goes bad, and that you don’t waste resources and possibly increase risk with threat intelligence that’s past its shelf life.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Threat Intelligence

Enhancing cybersecurity and compliance programs with actionable intelligence that adds insight can easily justify the investment and growth of threat intelligence programs.


Identity and access governance vendor Saviynt has closed a $205 million financing round.

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.