Do you have threat intelligence, or just threat information?

In today’s guest post, Mark Norcini, Sales Director at SEI IT Services, provides insight into the difference between threat intelligence and threat information.

"Charlatans!" 

"False economy of information exchange!"

If we were to walk in to a room of elite cybersecurity analysts at ACOD¹ and ask how to buy the best threat intelligence, these snarls would be hurled back at us. 

Ask those same individuals about buying threat information, and there’d be a conversation.  What about calling it threat intelligence elicits such strong feelings? It may seem odd that the difference between the words "information" and "intelligence" would have such a stark contrast in the minds of experts. Is this just semantics?  Is it one of those situations where, when arguing shop together, they dwell in that sliver of idealistic nuance still unresolved for their craft? 

It turns out, no. And here’s why: A quick internet search on "threat intelligence" finds numerous purchasable options to choose from…and at any price point one is willing to pay. Diving deeper into these solutions, we find that they are comprised of miscellaneous streams of data — data that typically consists of IPs, domains, URLs, hash values, or other details that reside lower on the pyramid of pain. What they lack are context, causation, or correlation around the streams, leaving recipient cybersecurity analysts unable to determine if this data has false positives, is relevant to their organization or even pertinent to their organization's industry.  

However, if more time is spent investigating, we can find threat intelligence options that at least have a correlation component. Instead of just raw streams of data, analysts will have access to aggregated streams with attributes to discern correlation. Unfortunately, even these options provide very little context to the analysts of how the data received may be associated with the assets and infrastructure they are protecting (no causation).

Time is the most valuable asset against any threat. Adding streams of data with unknown value or applicability is not a good use of analysts’ time. They need data that helps them to prioritize their efforts of defense; data that give them what they need to strengthen that defense.

The clamoring of those elite cybersecurity analysts has a point. Too many products and solutions claim to be threat intelligence. We are not buying threat intelligence if all that is provided is another stream of data with no context, no conclusions, and no direct paths to strengthening our defenses.

So what would buying threat intelligence look like? A threat intelligence option needs to provide curated data from other analysts with: 

• The context surrounding a threat
• The applicability of the threat to a given organization or industry
• The mechanisms to strengthen the defense against those threats 
• (Where possible) the effectiveness of those mechanisms against said threats  

Purchasing this type of intelligence gives analysts the time and power to target pertinent threats to their organization — and stop them.

¹ACOD – www.artintoscience.com, A conference for defense, organized by defenders.