Skip to content ↓ | Skip to navigation ↓

In the past few years, it has become abundantly clear that enterprises leveraging threat intelligence have a distinct advantage in protecting their critical infrastructure. With CSOs and security teams overwhelmed by massive amounts of threat data, organizations are doing everything they can to collect, analyze and evaluate as much data as they can, not just data for threats they currently face.

Threat intelligence can include a variety of things, such as: intrusion detection systems, intrusion prevention systems, managed security services and indicators of compromise.

And companies normally consume threat intelligence from: paid solutions; trusted partners; formal industry corporations; government and law enforcement agencies; and open source, as well as their own analysis and detection processes.

According to IDC’s research, global threat intelligence services spending is expected to increase from $905.5 million (2014) to more than $1.4 billion (2018). Organizations are increasingly integrating threat intelligence feeds into their security architecture, as well as SIEM (Security information and Event Management) system in a standard manner (XML, etc.).

How helpful and realistic are threat intelligence implementations?

A report by The Enterprise Strategy Group (ESG), revealed that several enterprises have implemented a security intelligence program, and 43 percent of surveyed respondents rated their program as ‘very mature’. However, there are a number of shortcomings in these programs, which makes the expectation that deploying threat intelligence alone is the answer to security threats unrealistic.

Some of the shortcomings are as follows:

  1. IT is not integrating threat intelligence programs into enterprise collaboration, communication and other IT workflows. Therefore, they aren’t giving themselves the capability to benefit from knowledge in supply chains and vertical communities, or to access what’s going on at the backend to identify data relevant to their environment and context.
  2. More focus is being placed on consumption and less on sharing. With the bad guys focusing on the latter, organizations need to facilitate sharing of threat intelligence to effectively protect enterprise users and infrastructure. Sharing threat intelligence on all types of risks can help reduce vulnerabilities and keep larger threats at bay.
  3. In most enterprises, threat intelligence programs are hamstrung by manual processes. Security professionals in these firms spend a lot of time collecting, processing and pasting data, as well as transforming it into different formats – there’s not much reliance on tools that automate the rest of the IT landscape.
  4. Organizations are also lacking actionable intent in their programs. IT teams neglect providing additional context of threat indicators that have been brought to attention, whether from another user or an intelligence feed. This scenario means there’s no extension of the information; therefore, companies may miss out on making quicker and alternative decisions. To make threat intelligence actionable, organizations should receive it in real-time and combine it with security awareness.
  5. Lastly, security teams are looking at data feeds with raw, unfiltered information. For intelligence, they need this information to be sorted and evaluated by expert intelligence analysts, so that actionable advice can be generated about an existing or emerging threat. Rich contextual information can be created by human analysis of the past, present and future indicators.

As a result, threat intelligence is somewhat immature right now, with organizations considering potential benefits without recognizing the power of basic principles that make it effective. With this posture, filtering out irrelevant data and gaining accurate, predictive insights on the real threats can be exhaustively time-consuming.

Effective threat intelligence requires analysts to accurately identify real threats specific to the environment their respective organizations are operating in. Relating the threats with the environment will define the threat landscape, after which the analysts can evaluate data feeds and sources (internal and external) to pinpoint which indicators merit attention.

Also, CSOs and IT departments need to modify existing solutions, or deploy new solutions, to gain insight from collected sources and launch subsequent investigations into threat vectors. While internal intelligence management is often viable, a third-party can be brought in to speed up data cleansing and solution validation, so that enterprises can focus on preventing attacks rather than spend time identifying data and indicators relevant to their threat landscape.

Another big point for effective threat intelligence is sharing. Most organizations are doing that on an ad-hoc basis – sharing some intelligence instantly, and not sharing some part of it consistently – which limits their potential to minimize the impact of potential damage. For example, intelligence that is put on the IT manager’s desk and not passed to personnel responsible for time-sensitive network security decisions is not effective.

The goal should be to receive and disseminate information to various agency components. Organizations can take advantage of industry consortia to validate threat findings and leverage automated processes to trigger instant interactions within the enterprise as well as with government and law enforcement agencies.

The more sources that can add insight to a feed, the more it can be made useful. It is also a good idea to embrace concepts, such as Coalition for Open Security, as well as work with threat intelligence sharing portals/startups to streamline the administration process. And while doing all this, industry standards like Cyber Observable Expression and Trusted Automated Exchange of Indicator Information should be kept under consideration.

What could be a good threat intelligence implementation?

To break the silos and make threat intelligence run smooth throughout the organization, IT needs to adopt a robust approach towards collecting, analyzing, and acting on intelligence as well as translating it into common language for sharing. While models can vary, the following components are commonly applicable in deployments to develop intelligence capabilities.

1. Setting up the intelligence procedures

This will be the foundation of whatever your goal is with threat intelligence. The complex nature of threats require organizations to have procedures in place prior to incidents in order to guide operations during periods of stress.

Consolidated, open-source and premium feeds should be measured against your company’s goal to evaluate their ROI. Mature organizations will also filter data to extract relevant indicators and then cross-reference them across multiple systems.

2. Building threat profiles via analytical frameworks

What is the modus operandi of the adversary? Depending on your organization’s industry and security structure, you will develop frameworks which can be used to spot malicious patterns and consider viewpoints of adversaries. A threat profile could then be generated in the following manner:

  • Actor: What do you know about the individuals that can conduct attacks on your organization? The answer to this question will drive subsequent analysis.
  • Victim: What is it about your enterprise that makes it a potential target for data breaches and hacking attacks? Are you more likely to be attacked than your enterprise counterparts?
  • Data importance: What is the perceived risk of data assets you want to protect? How are they being protected currently?
  • Location and time: Where are data assets stored? How are you protecting them? Are they stored only in virtual form or also in physical form? Are these assets more vulnerable at certain times (such as on the weekends)?

This profile will drive process efficiency and enable IT to direct intelligence feeds towards multiple departments in real time.

3. Choosing the right technology

Now that the threat profile has been identified to best suit your organization’s need, you can move over to selecting the right technology to leverage threat intelligence across your data and network environments.

There should be variety of solutions available, some with their own services, feeds and databases built in. The final choice should integrate with your security infrastructure and SIEM system, whether the focus is on protecting cloud, big data, or mobility systems.

4. Integrating the use of intelligence into your core processes

A good implementation requires intelligence to inform core business decisions without any interference. However, enterprises don’t follow this approach, which means they may not have a bird’s eye-view on threats that could impact critical business decisions.

What they need to do instead is align the intelligence technology with formal decision making to facilitate dynamic resources decisions. Senior and law-enforcement oversight is also important for larger transformational business cases.

5. Automating threat intelligence sharing

Threat sharing won’t be effective without technology that automates the process. With several threat intelligence exchanges facilitating automation, enterprises at their own end should focus on developing processes that link with these exchanges to get a more comprehensive view of threats.

However, you should have some rules that standardize the conveyance and expression of threat intelligence sharing. Having these rules will allow automation of sharing processes (without any issues), even when relying on disparate tools.


Implementing threat intelligence effectively demands a large-scale evaluation of your security standing. Since it requires seamless access to data flows across networks and devices, organizations need to break down their reactive walls to create external and internal efficiencies and get the most out of this resource.


Dan VirgillitoAbout the Author: Dan Virgillito is a Security Researcher for the InfoSec Institute specializing in enterprise security.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of