How To Select A Threat Intel Service

" What are the all-time, nigh important threat intelligence feeds that I should integrate into my security operations? "

What Feeds Me, Destroys Me

Seriously, every time I get this question a picayune part of me dies. My left eye begins to twitch. This moving ridge of heat rises up from my belly, and I feel it in my cheeks. I desperately try to harness an inner Zen, but all I tin can muster is an bad-mannered smiling as I endeavor to suppress the very compelling urges to bring great violence upon the person that is asking me this question about threat intelligence feeds.

You might as well have asked me, " What is the best, most important wine that I should integrate into tonight'south dinner ?" Do I wait similar some sort of Threat Intelligence Feed Sommelier? " Yes, these vintage IP Addresses came from a honeypot in Napa, very popular with the Us automotive sector right now. Perhaps I could interest y'all in these hashes, they were curated final season past a Bay Area Decacorn. They gave me a SOC tour which boasts a most impressive pew-pew map; a must meet."

I know why y'all are request me this question. I want to be sympathetic and helpful ( and at the same fourth dimension claw out my eyes ) simply if I have little insight into the winemaker's procedure, no thought what your food or drink preferences are, or whatsoever thought what you are eating for dinner, my recommendation is of no value.

Here's why:

And please spare me the threat intelligence vs. threat data or threat data shtick, I get information technology: that'south not this weblog mail service.

Ass-U-ME

First: expect at your question from my perspective. I am an analyst; a natural people pleaser. Perhaps it is some sort of genetic predisposition, or an inconvenient virtue of mine, such as "honesty" that stands in the way of me just blurting out the get-go threat intelligence vendor or free open source feed that comes to mind. Why is this person trying to corner me into something I do not have the tools to effectively answer? This must be a nerdy version of Punk'd, right?

I go information technology, your question may be an innocent ane. You may say I am overthinking it. Maybe and so. But  consider that your question may not be the correct question to be request in the get-go place. In fact, the biggest problem I accept is your threat intelligence feed question is rooted in assumptions, which are usually a bad thing to ignore.

• It assumes y'all and I subjectively evaluate things in the aforementioned way.
• It assumes I accept some sort of sense of your security OR intel requirements.
• Information technology assumes I have some sort of insight into your organizational security operations (processes) and security stack (technologies).
• It assumes I can comparatively evaluate feed A apples and feed B oranges ( and diverse other feed fruits and vegetables ) in a given timeframe irrespective of your detail use cases.

Finding Yourself

The first step in identifying the " best, nearly important threat intelligence feeds that I should integrate into my security operations" would be to empathize the diverse characteristics of your own security operations . Consider that an outsider with little understanding of your security operations volition likely not be in a position to offering you lot very much without this insight. I would accept these outside recommendations with a grain of salt.

Y'all need to practise a piddling soul searching to answer this question.

Note: This isn't the type of soul searching you find in a mushroom-tea-induced Arizona sweat lodge. Threat intelligence feeds are unlike any other security investment area. You need to be able to determine which is the right fit for you, your resources, environment and individual apply cases. Mileage varies here, and is largely dependent on the driver, so be prepared to fall back to your system'due south processes for evaluating whatever other technology.

What we are driving towards is the identification of organizational requirements and priorities. This is an orientation exercise. In that location is manufacture thought leadership ( hither , hither , and here ) effectually defining and navigating Intelligence Requirements, and then no need for me to rehash these. Simply read and follow these recommendations. This is your first and most of import step.

I know, I know, this is going to require you lot to unplug and physically look other people in the eye, verbally communicate, collaborate and discuss with one another. Fear not, information technology's ok to do the unsexy things (like whiteboarding and planning) earlier you charge the hill and exercise some sweet ninja style "cyber'ing".

Clearing Your "Nerd Chakras"

And then you take washed information technology, y'all have come down from a dry out erase induced psychedelic trip, emerging from your conference room shaped ashram relaxed and aware. You and your squad have your organizational needs and intelligence requirements based on risks that apply to you and are well defined.

Congratulations – you now have the guideposts which will help you navigate the endless sea of "feed" options and answer this burning question that plagues so many.

Hunter Chakra: Rolling Your Ain

So where do you go at present? Before you set your gaze to external feed source evaluation – continue on the path of self exploration and remain focused in. After a few "oms" you might realize that feeds curated from second parties isn't where you lot want to start later all.

Perhaps you want to consider creating your own feeds, based on what your own enterprise is telling you. Don't underestimate the value of generating your own gluten costless, certified organic source feeds. Sure it may be more than costly or considered an " advanced move ", simply at least you know where that " feed " came from and yous can trust information technology'southward quality.

Gatherer Chakra: Hook Me Up

Alternatively, you may decide you aren't into those " hippy-dippy hand-rolled " feeds. You desire to lean into this with a scorched globe approach. Throwing circumspection to the air current yous say: I desire all of the feeds that appear to meet my requirements X, Y and Z (to start). And you hope order will eventually emerge from the chaos. This is where many organizations tin go into problem, either buying a feed of limited utility or focusing time, talent and treasure on the mythical " gratuitous open source feeds ".

Premium Feeds: Evidence em' The Coin

Let'southward say your CISO lies awake at dark worried about Liechtensteinian APTz.

Information technology is here that you tin begin to orient your conversations with premium feed providers as to how their particular feed supports your requirements. How frequent is the feed updated? How much context on Liechtensteinian tactics, techniques and procedures are included? How timely is the information, and in what formats is information technology delivered then that yous can deed against those crafty Liechtensteinian advances. These are but a few examples of things you will want to identify and evaluate from the provider.

At this point a feed vendor may have piqued your interest, perhaps this provider has unprecedented access into the .li darkwebz. You will want to trust but verify. Begin to integrate the feed in an evaluation status and come across where you can operationalize it. Is the feed alerting you to the things yous care about in a timely manner, or are there as well many fake positives? Is information technology updated monthly or hourly? How well does it perform and integrate with your current security stack? In terms of your verification process, you will likely want to as well periodically revisit the value y'all are getting from this investment(s), and adjust accordingly.

Open Source Feeds: The Illusion of Gratuitous

Permit's turn our attention to the " costless " second political party feeds for a moment. Might besides point out the elephant in the room while we are here: Simply considering yous aren't stroking a bank check on an invoice for a feed does not make it " free ". This information is " complimentary " in equally far as you are investing in the talent, processes and instrumentation to readily observe and identify the things that align to your requirements in a scaleable and repeatable way. This also applies to your " free " internal "paw-rolled" feeds mentioned before. Be honest with yourself, in that location is an organizational price.

With that out of the fashion we can continue.

The same evaluation process referenced above applies here also: open source feeds which perform favorably against your Intelligence Requirements, volition conspicuously illuminate your organizational risks, and thus will survive the cut. Those that do not, are likely of no apply to yous, this is something simply you can assess and prioritize.

Over time you will be able to interrogate the datasets to compare and dissimilarity their diverse characteristics, and determine how well they perform across your security stack; also how constructive that item source of information is in helping you place or mitigate risks from those pesky Liechtensteiners.

Look Ma' I'm Threat Intel'ing

Congratulations, you accept taken off the training wheels. You lot've got your Intelligence Requirements and accept selected a handful of your choice data feeds for evaluation. You lot take the wind in your hair as you pump your threat intelligence feeds into your SIEM with blind abandon. You accept arrived at the summit of the mountain, reaching a "Threat Intel" nirvana, right?

Incorrect.

Unfortunately you take created a new problem for yourself: you now demand a scalable way to capture the sweet nectar that is "metadata" that can generate the cold hard metrics that requite yous a sense of a render on your investment (ROI) for a particular feed. And if you say you are capturing that in a spreadsheet we are seriously going to throw down .

It is hither, armed with tangible metrics – such as how many priority tickets has a feed generated in a given timeframe, or the average amount of observations or false positives a feed may take – you can evaluate the fate of a feed within your arrangement. Now you tin can confidently betoken to helpful things similar facts and data which can exist used to support your conclusion to do or not to do something, or to invest or not in a certain expanse. I know. Not as fun equally making it upwards as you lot go . Fiscal responsibility, organizational prudence and accountability is such a drag on cervix-bristles improvisation.

This is the mindset that needs to be adopted. This blazon of framing approach should seriously be considered if "Threat Intelligence" has a run a risk of influencing actual business intelligence, unifying the fragmented security organization .

We have all heard that "at that place is no easy button" or "no silver bullet solution" notwithstanding there are those who seek to base of operations their Security Operations Centers, Incident Response, or Threat Intelligence efforts in doing whatsoever is "easy". Just your enterprise is not like shooting fish in a barrel. Information technology'southward a chaotic, complex system which is interdependent on various people, processes and technologies. Here's a hint: I'd focus my security programme on efficient and effective, not "piece of cake". Otherwise, things will undoubtedly fall through the cracks.

This is the promise of intelligence-driven, process-led platforms. Optimization of security investments so that the sum of the parts are working together, and it is here that organizations can build or mature their program on a solid foundation.

Concluding Thoughts

I apologize if some of this comes across a fleck annoying. Just know it's from a place of love that summons my mildly threatening tone. Which makes sense why HR, Legal and a few of my colleagues hither at ThreatConnect have really been pushing me to look into a progressive form of yoga that allows me to more finer and efficiently resist the advances of the Dark Side.

While " What are the best, virtually important threat intelligence feeds that I should integrate inside my security operations" is certainly a valid question, information technology isn't a question that should be answered from the outside looking in. Nor should these sorts of evaluations exist met with cavalier attitudes, but rather framed with the proper organizational specific requirements and evaluated accordingly.

Equally function of that continual evaluation process it is highly recommended that a centralized platform exist used to enable organizations to unite their security teams with their corresponding workflows and processes to ensure there is alignment and interoperability across their various security technologies; a solution that illuminates the true value of a item investment expanse. It is important to highlight that a Threat Intelligence Platform should provide yous far more value and extensibility than just threat intelligence feed assemblage. It should provide more value than only making your SIEM more effective and amend all of your security investments.

I empathise how hard and frustrating this profession can exist. Despite all of the hours, attempt and emotional connection many of us take to the mission, it sometimes seems equally if we never win. Be careful not to be tempted by something that appears to exist a shortcut, considering it will cost you in the long run. You win when you Invest the time needed to actually know and understand your organisation so you tin confidently approach the problem from experience.

Alternatively, if you are ok with making strategic ( and sometimes irrevocable ) choices surrounding the management of your organizational security programme with decision making tools such equally fingers in the air, gut feelings, and boozy happy-60 minutes opinions, then that's fine also. Just and so the only threat intelligence feeds I recommend you evaluate are your Facebook or Twitter.

How To Select A Threat Intel Service,

Source: https://threatconnect.com/blog/choosing-best-threat-intelligence-feeds/

Posted by: cooperprotiong1973.blogspot.com

Share this post