Do You Need Threat Intelligence Feeds?

Threat intelligence feeds provide valuable data for improving cybersecurity initiatives. But before you go and start subscribing to any threat feed, you have to ask yourself: Are threat intelligence feeds really suitable for my organization? Can I realistically obtain any value from them?

In this post, we’ll look into some key points that explain why threat intelligence feeds may not be right for your business. 

What’s a threat intelligence feed?

Before we get to the meat of the discussion, let’s first establish what we mean by a threat intelligence (TI) feed. A threat intelligence feed is up-to-date cyber threat data delivered to recipients on a regular basis or as soon as new data is available. The content of the feed will depend on whether the feed is designed for tactical, operational, or strategic purposes. 

Some of the content you’ll find in a TI feed include:

• Malware campaigns
• Cyber attacks
• Indicators of compromise (IOC)
• Threat actor tactics, techniques, and procedures (TTPs)
• Deep and Dark Web data
• Phishing updates
• Vulnerability alerts
• Nation state cyber warfare trends
• And many others

Now that we’re clear what we mean by a threat intelligence feed, let’s discuss why you might not need it.

More feeds, more noise

There are literally hundreds of threat feeds out there. Threat intelligence feeds can come from a wide range of sources, including:

• Open-source intelligence (OSINT) websites
• Commercial cybersecurity firms
• Government agencies
• Non-profit Information Sharing and Analysis Centers (ISACs)
• And even social media networks

Unless you’re an expert in the TI field, many feeds will seem important. Some feeds, e.g., OSINT feeds, are also free. For these reasons, organizations end up subscribing to more feeds than they actually need. In reality, a lot of the data from different feeds overlap. Some feeds can even be irrelevant to your specific business. While it’s certainly normal to subscribe to multiple feeds, too many feeds can only lead to confusion.

Not only that, some of these feeds—especially OSINT threat feeds—are still ‘pre-curated’ data. In many cases, the data coming from these sources still require a great deal of processing before you can extract any useful information from them. On the other hand, commercial TI feeds, which are mostly curated, also have that cost component to them. You have to pay a subscription fee.

Requires other security tools to yield value

TI feeds alone don’t make a threat intelligence program. The data you obtain from these feeds are still raw. They need to be processed into actionable information before they can be considered “intelligence”. As you subscribe to more threat intelligence feeds, you’ll eventually find it extremely laborious shifting between different screens or manually aggregating data from multiple feeds.

To address this problem, many organizations purchase a Threat Intelligence Platform (TIP). A TIP collects TI data from various sources and then aggregates the collected data into a centralized location where threat analysts can view them in one screen. A TIP addresses some TI-related issues, but it rarely functions well by itself.

In any threat intelligence initiative, context is crucial. That’s why, in many organizations, the external TI data obtained through a TIP is usually combined with internal log data (generated by your network devices and security tools) obtained through a Security Information and Event Management (SIEM), another security tool. Without all these tools, it’s going to be difficult to obtain value from just TI feeds. 

Assembling a threat intelligence team can be challenging

Without a TIP or a SIEM, you’ll need a team of threat intelligence analysts to collect, aggregate, enrich, normalize, and analyze your external and internal TI data. Sometimes, you’ll also need TI analysts to prepare and disseminate threat intel reports to all interested departments, communities, and other stakeholders.

Even if you do have the necessary tools, you’ll still need people who can enrich and analyze the intel data as well as process them into actionable information. Furthermore, you’ll need other security staff who can input the generated information into firewalls, intrusion detection/prevention systems, and other security tools so you can leverage your threat intel.

Putting together a threat intelligence team isn’t going to be easy considering the cybersecurity skills gap. Businesses are already finding it hard to assemble a cybersecurity team, let alone a more specialized TI team. The cybersecurity talent shortage also means even if you do find available TI analysts, be prepared to pay a steep price. In the US, for instance, the salary of a threat intelligence analyst can range from $67K to $184K. If you’re running a small business, it may be impractical to assemble a TI team. 

Applied Threat Intelligence – A more practical approach to TI

Threat intelligence is important because it helps you streamline various cybersecurity initiatives like threat prevention, threat detection, threat hunting, incident response, and even executive decision-making. However, in its traditional form, TI isn’t practical for small and medium-sized businesses (SMBs).

You can actually omit certain aspects of threat intelligence and still obtain its benefits. For instance, you can do away with threat intelligence feeds as well as the operational, tooling, staffing, and cost-related issues that accompany them. 

A better alternative is to adopt Applied Threat Intelligence (ATI). ATI is an emerging class of security solutions that removes the complexities and challenges of traditional threat intelligence by incorporating various TI processes such as threat data collection, curation, enrichment, analysis, and utilization into a single tool. 

Intrusion’s on-premise, cloud, and endpoint security solutions, for example, all employ some form of ATI. These solutions leverage applied threat intelligence to identify and automatically block malicious inbound and outbound traffic.

The quality of an ATI solution is highly dependent on its collection of threat data. Intrusion’s threat data is derived from a massive database of IP and hostname historical records combined with behavior and reputation intelligence. Read more about ATI in our latest report or chat with us below if you have any questions.