Threat intelligence feeds have gained a lot of popularity over the last few years. Born of IP watch lists provided by a handful of organizations, they have emerged to become a significant part of a mature security intelligence program. Now instead of just IP addresses, most feeds include information on file names and hashes, URLs, users and more. All this can come together to deliver more information to analysts about everything crossing their wires.

Why is this incremental threat intelligence information so important? In a word, context — and the difference between noise and context is security analytics. The acceptance of security information and event management (SIEM) platforms over the past dozen years allows analysts to correlate and manage the security data on their networks, include external data elements and view it all in one place. The Trusted Automated Exchange of Indicator Information (TAXII) and Structured Threat Information Expression (STIX) are sets of free specifications that have simplified the process of adding threat intelligence to IBM QRadar.

No Dumping

Security teams can better protect their environments by incorporating information on threats observed in the wild. Threat intelligence helps by identifying things that are out of place. This information can be useful, but not if it’s simply dumped in. There is still noise, and threat feeds will sometimes even increase the amount depending on how they’re used.

The credibility and confidence of the sources is also very important. Free feeds might not have the most accurate information, whereas commercial feeds might seem to tag almost everything as a threat at some point or another.

When refining your use of threat intelligence, you must look at it the same way you look at all other information on your network. Don’t just turn everything on and hope for the best. Identify what you are trying to discover and what areas are most important to your organization. If you look at two separate areas of the network, for example, you’ll need different levels of focus depending on the role of that area.

Learn to combat the latest security attacks with global threat intelligence

Muting the Noise

Even on a good day, your exclusive perimeter network, or demilitarized zone (DMZ), and other public areas produce a lot of noise. You can use information from threat intelligence feeds to help identify potentially bad traffic at the perimeter. But just throwing in all the intelligence data may drown your team in incidents. It’s better to focus on the worst or most persistent set of indicators to reduce the number of incidents to a manageable level.

If, however, you’re dealing with a more secure network area, such as a database server farm, where only very specific traffic should be present, you can be more liberal with the threat indicators in both volume and quality. These servers typically hold business-critical data, so don’t take any chances. Opening up the threat intelligence data allows you to cast a wider net that would drown you in a more public-facing network segment.

Threat Intelligence Adds Context

Other good use cases involve applying threat intelligence to incident forensics. When probable cause directs you to investigate hosts or users, threat intelligence can help determine who or what they might have been exposed to in the past.

The added context that threat intelligence feeds provide is very important to protecting your networks. By using the confidence levels of that information and carefully implementing different uses around your network, you can better protect yourself without overloading your security analysts with too much noise.

Sign up for a free trial of the IBM X-Force Exchange

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today