Posted: 3 Min ReadExpert Perspectives

How to Choose the Right Threat Intelligence Sources for Your TIP

What you get out of your threat intelligence platform depends on what you put into it

If your organization wants to get the best results from a threat intelligence platform (TIP), make sure you consider the effectiveness of your threat data sources. Many organizations that implement a TIP often have difficulty determining which intelligence sources they should use and end up not deriving full benefit from the technology.

TIPs are a fundamental component of threat intelligence programs at many enterprises. A TIP collects and manages threat data from multiple external sources. It helps you correlate the external data with internal telemetry, so you can identify and prioritize responses to the threats that are most relevant to your organization. A threat intelligence platform can reduce enterprise risk by quickly helping answer questions such as:

  • Which alerts should I prioritize?
  • Is this an artifact of a targeted attack?
  • Who's attacking me?

Like any data analytics tool, a lot of what you get out of a TIP depends on what you put into it. You can have an excellent threat intelligence platform and really great human analysts and still struggle to get actionable operational intelligence because your data sources are inappropriate, inadequate or of poor quality. In today's hyperactive threat environment, the last thing you want is to have your analysts going down rabbit holes looking for non-existent, irrelevant or old threats. Poorly sourced threat data increases risk for your company.

How do you make sure that the quality of the data input into your TIP is reasonable? It turns out that a lot of people don't have a good idea, so here's a quick rundown of the attributes you can easily look into when selecting data sources:

Data Quality & Provenance

The first thing you want to make sure is that your threat data is accurate. After you put a new source into production, you’ll be able to collect hard metrics like actual detections and false positives.  But there are some simple things you can look at upfront. 

  • Know where your threat intelligence is coming from and how it is being generated. Some sources collect data based on input from other sources –such as a community submission—without vetting for accuracy. How many of the indicators you receive are likely to be valid and how many might be duds?
  • Look into the specifics around how a particular source is actually detecting and validating threats.  Knowing the provenance of the data may allow you to look up detection quality metrics related to the underlying detection engines; for example, published testing results for that engine.
  • There's also the issue of the reliability of your threat data. Sometimes, a source can remain silent for days or weeks, or fall off the grid entirely. How sure are you that a new source is going to deliver high-quality data on a consistent basis?

Some of these attributes are hard to measure when you are initially selecting a threat intelligence source, but even proxy data can offer valuable insight into the expected quality of the data feeding your TIP. 

Breadth

There are all kinds of threats being launched out in the wild. If you don't have a source that can see these threats on a global scale, all you're going to be seeing is a slice of the malicious activity. That can be a problem when threats come out of left field.  In selecting a threat intelligence source, consider the breadth of the malicious behavior into which you will have insight.

Age

Don't get tripped up by old threat data. The goal in using a TIP is to ensure that you remain on top of the latest threats. Assess the freshness of your source's data. Look at how long individual threat indicators appear in the feed and the rate of change of indicators in the feed. If the data is old by the time it gets to you, the indicators may no longer be associated with malicious activity, and all you would have done is waste time looking into associated alerts.

Uniqueness

To be of value, threat data needs to be unique. Before adding a source, you want to make sure you are bringing in new insights. Compare how much overlap there is between what you already have, and how much of the data is unique in the dataset you are considering. That will tell you whether it is worth adding a new source.

A TIP can be a valuable asset that helps reduce risk so long as you pay attention to your threat intelligence sources. If you put garbage in, don't expect the output to be anything different.

You might also enjoy
Expert Perspectives3 Min Read

How to Lighten Your SOC’s Growing Work Burden

The number of security alerts SOCs must investigate and remediate has never been higher. But the integration of threat intelligence with SOAR solutions promises to be a boon for defenders.

About the Author

Al Cooley

Director, DeepSight Intelligence Product Management, Symantec

Al Cooley leads product management for DeepSight Intelligence. Prior to Symantec, he worked in product leadership roles at Guardium, IBM and Industrial Defender.