Adding threat intel to your security stack

This month we are addressing another of the new categories that we've added this year. There is a strong trend toward adding threat intelligence to the arsenal of the security professional. In fact, a recent survey by The Ponemon Institute found that 77 percent of all companies surveyed believed that threat intelligence is essential to a strong security posture and 77 percent found it valuable to their mission. Those numbers make a pretty strong statement. So strong, in fact, that we were left wondering why more organizations aren't actually using threat intelligence tools.

Ponemon, not surprisingly, had an answer for that as well. 70 percent of respondents, it turns out, believe that threat intelligence is voluminous and complex to provide actionable intelligence. Fifty-two percent of the respondents actually believe that to make any use of threat intelligence they would need to hire a qualified threat analyst. That is a pretty strong issue and it has, certainly, slowed the growth of the marketplace somewhat.

That brings us to this month's Group Test. There is a flip side to the customer concerns and that is that there is a dearth of qualified vendors with capable products from which to select. We have a small group this month, but we believe that they represent some of the best in the game. That brings us to the things that you should look for when you start looking for an intelligence tool. Again, we'll defer to Ponemon for some ideas.

Whatever tool you select it should be capable of integrating with your security stack. That means that integration with a SIEM, for example, is desirable. It should be able to interact – i.e., create and consume – indicators of compromise (IOCs). An increasingly popular way to do this is by using STIX and TAXII.

Additionally, the tool you select should help your threat analysts research threats more quickly. Your tool should not be restricted to open source (free) threat feeds. But you should be able to consume both. The average number of threat feeds in use by the respondents to the study was around 10 so it is clear that more is better, but only to a point. 

All of that said, over half the respondents to the study either have deployed or are planning to deploy threat intelligence tools within the coming 12 months. So it would appear that while this marketplace is in its infancy it is growing rapidly. These tools require next-generation capabilities, such as machine learning, the ability to handle big data and a strong integration capability. The tools we looked at this month are pretty solid in those regards but remember, this is an emerging product area with new technologies being tested on an ongoing basis. Don't let that slow you down, though. The adversary is slippery and without these tools they will lead you on a merry chase.

We want to thank Dr. Larry Ponemon and the Ponemon Institute for a great piece of research. You can contact the institute for more information. This research report is from July of 2016.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.