Most people who are looking for a threat intelligence service might have an opinion on what it should or shouldn't do. As our VP of Sales would say, "don't assume just because you're using the same words you mean the same thing". As I got into the habit of clarifying my position on Threat Intelligence, I found a lot of varying use cases that I had never even considered would be top-of-mind for people. Here are the top myths about Threat Intelligence and the reality.
Myth: Size Matters
Not relevant in reality. I had a computer science class where we studied algorithms, learning that the difference between effective and efficient was a big deal. Fast forward to the boardroom and talking about Threat Intelligence and I start hearing a lot about the size of your feed and how many TB/PB/EB/ZB/BB per day are collected and analyzed. Worthless! Collecting samples that are not novel and de-duplicating them is not important at all. Who cares how much information you collect - how much of it can we actually use? Feeds integrated into Firewalls/Anti-Malware or used in threat hunts have to be both effective (relevant small data-sets we can search) and efficient (able to be read by AV/FWs). The limitations in the tools and people reading this data means your gigantic expensive cloud of honeypot data is not an important metric.
Myth: The Dark Web is in There
Nope. The Dark Web is a channel to sell contraband between people as anonymously as possible. You can't google through the data they are selling to see your artifacts and find out what was compromised beyond a few sample sets.
Myth: You Get What You Pay For
Paid vs. Open Source? Many customers try to even the odds by buying multiple paid feeds as well as collecting from multiple sources. Many times, this is just duplicate information with a limited return the more you gather. Ultimately, even if you gathered them all you only have a finite amount of processing power to use them in log searches (IntelliGO), Firewalls or Anti-Malware EDR (IntelliGO again).
Reality: Bet On The Tortoise Not The Hare
Feeds are slow. They get updates slow, they de-duplicate slow and the searches to find out if something affects you is slow. Not 1995 Modem-slow, but slower than an attack being downloaded and replicating right now amongst your workstations.
Reality: They Help To Find Complex Attacks
Last one here. There are lists of IPs, DNS, hashes for files and maybe a few other IOCs that these feeds can give you. They help find a needle in a haystack: your compromised endpoints. This is something your AV or Firewall would miss because it wasn't classified or around at the time of infection but you can be certain there are bad things lurking behind a workstation communicating to known bad IPs.
So, What Do We Do?
IntelliGO Managed Detection and Response (MDR) provider collects data from all your systems and can correlate threat intelligence to help you find and respond to threats you may have missed. Use our collection of feeds as part of the service in your Anti-Virus or Firewalls today.