Home Intel Hub T02 FireEye Executive Perspective The Value of Context: Using Comprehensive Cyber Threat Intelligence to Increase Security Effectiveness

The Value of Context: Using Comprehensive Cyber Threat Intelligence to Increase Security Effectiveness

Industry Perspectives 2020-11-19

In order to level the playing field between unknown adversaries (with seemingly limitless resources) and organizations, security leaders need to continually assess every aspect of their security program. People, processes and technologies must be reviewed to ensure each critical component is optimized to combat modern attackers. But what are they basing their decisions on? And is it 100% reliable?

Cyber threat intelligence (CTI) is an essential capability in an organization's security program. Used properly, CTI can enable better-informed security and business decisions, and ultimately allow organizations to take decisive action to protect their users, data and reputation against adversaries. Unfortunately, threat intelligence is a broad term used inconsistently through the cyber security community. 

Information vs. Intelligence

Simplification and misuse of the term "cyber threat intelligence" can make it difficult for security leaders to evaluate the wide range of options available for increasing security effectiveness. At best, an organization receives true intelligence, which facilitates proactive, effective decisions. At worst, they receive information that in its raw state is not actionable:

Cyber Threat Information is…

Cyber Threat Intelligence is…

  • Raw, unfiltered data feed
  • Unevaluated when delivered
  • Aggregated from virtually every source
  • Possibly true, false, misleading, incomplete, relevant or irrelevant
  • Not actionable
  • Processed, sorted information
  • Evaluated and interpreted by trained intelligence analysts
  • Aggregated from reliable sources and cross- correlated for accuracy
  • Accurate, timely, complete (as possible), assessed for relevancy
  • Actionable

Always on Alert With Threat Information

Threat information is most commonly known as data feeds and can be categorized as:

  • Signature and reputation feeds: Typically providing a stream of malware signatures (file hashes), URL reputation data and intrusion indicators, sometimes supplemented with basic statistics.
  • Threat feeds: Data streams that may provide a basic level of human analysis, including statistical breakdowns of the prevalence, source and targets of malware and other attack activities.

Both types of data feeds have some value; signature and reputation feeds improve the effectiveness of next-generation firewalls (NGFW), intrusion prevention systems (IPS), secure web gateways (SWG), anti-malware and antispam packages, and other blocking technologies. Threat feeds are useful for security operations center (SOC) and incident response teams because they help them identify patterns associated with attacks, rather than simply isolated indicators. The information they provide can also increase a team’s understanding of how to remediate compromised systems.