How to Choose a Threat Intelligence Solution

November 6, 2018 Eric Dosal Eric Dosal

So, you’ve decided to invest in a threat intelligence tool to help your company keep ahead of emerging cyber threats. The question is, which cyber threat intelligence solution is the right one to meet your needs? Unfortunately, not every threat monitoring solution is created equally—and not every organization has all of the resources they need to acquire and manage every threat intelligence tool that they could possibly benefit from.

With this in mind, how can your business ensure that it’s choosing the right threat intelligence solution for its needs? How do you balance what you need to know, what you have the resources to handle, and what you can afford in a cyber threat intelligence tool so you get the optimal improvement for your network security?

Build a Cyber Threat Intelligence Framework First

The first thing you should do before you start taking a tour of all the different threat intelligence tools on the market is build a threat intelligence framework—a plan that highlights:

  • What you need to protect;
  • Who you need to defend against;
  • What your goals are for the intelligence tool; and
  • Which threat feeds are the most valuable for your organization.

Armed with this information, it’s easier to assess specific cyber threat intelligence solutions to see how they mesh with your goals. This way, you can (hopefully) avoid wasting time and attention on tools that won’t help you meet your goals.

Consider What Information the Threat Intelligence Tool Gathers

When evaluating a potential threat intelligence solution for your business’ network, try to get an idea of what information that tool provides you. Some tools gather data about your own network to try and identify abnormal traffic patterns that could indicate a cybersecurity breach.

Others act as “threat feeds” that monitor certain threat sources or feeds outside the organization for specific indicators of a cyber threat. Using this information, analysts can compare these “threat artifacts” to internal network feeds to see if a newly-identified threat from the feed is present in the network.

These feeds may track different threat indicators—such as known malicious IP addresses commonly associated with cyber attacks or even specific databases of known threat signals. They may also come in free or paid varieties, making them a budget-flexible option for improving network security.

The challenge is in managing threat feeds to make sure you’re getting up-to-date and reliable threat intelligence. A mismanaged threat feed could quickly become outdated as attackers constantly switch up their tactics. Also, until a threat is known, it may not be readily identified in the threat feed.

Meanwhile, threat intelligence tools that monitor network activity may be able to spot unusual activity caused by a cybersecurity breach—even if the attack method behind the cyber threat is new or unknown. Yet, security incident and event management (SIEM) solutions may generate a lot of “noise” or useless information that makes it harder for analysts to correctly identify potential threats. So much so that many organizations opt to use co-managed SIEM solutions from a managed security service provider (MSSP) to help them sift through all of the data to make sure they don’t miss anything.

Ideally, an organization should use both SIEM and threat intelligence feeds to make their threat monitoring more robust. The data from the threat feeds help the SIEM tool easily identify and highlight known threats for faster threat management while also highlighting abnormal traffic that comes from unknown threats.

Does the Solution Include Closed-Source (or Dark Web) Monitoring?

Odds are that you’ve already heard about some mysterious part of the internet known as “the dark web.” If you haven’t, here’s a handy definition featured on CSO Online:

“The dark web is a part of the internet that isn't indexed by search engines… You can buy credit card numbers, all manner of drugs, guns, counterfeit money, stolen subscription credentials, hacked Netflix accounts and software that helps you break into other people’s computers. Buy login credentials to a $50,000 Bank of America account for $500. Get $3,000 in counterfeit $20 bills for $600. Buy seven prepaid debit cards, each with a $2,500 balance, for $500 (express shipping included). A “lifetime” Netflix premium account goes for $6. You can hire hackers to attack computers for you. You can buy usernames and passwords.”

The dark web cannot be browsed using your typical Google search, either. It requires a specialized browser that anonymizes your computer’s IP address, such as the Tor browser, before you can access it. In a way, the browser is similar to a virtual private network—it has you log in to the internet through proxy servers and the like to help mask your IP address and other credentials that could be used to identify your computer.

While the above definition makes it sound like a den for illegal activity—and it often is—legitimate companies also use it to maintain private, closed-source servers.

Dark web monitoring is a kind of threat feed service that specifically checks dark web activity for warning signs that a company’s (or that company’s customers’) data has been compromised and put up for sale on the dark web. Considering that is often where stolen data is put up for auction, it is a necessary threat monitoring service for identity theft protection.

Consider the Scope of the Information Collected and its Ease of Use

Does the threat intelligence tool collect all of the information you need to maintain your network security in a single place? If it does, how well is that information presented to you or your cybersecurity team? Some threat intelligence tools may provide a vast amount of information, but be difficult to sort through. Others may have a scalpel-like focus that makes them easy to parse, but also miss a lot of important threat sources you need to monitor.

The perfect threat intelligence tool would give you what you’re most likely to need without drowning your network security team in an ocean of noise. However, such perfect solutions are unlikely considering the sheer scope and variety of threats that businesses have to deal with.

Instead, many businesses opt for the more comprehensive threat monitoring solution and then contract an MSSP to help them sort through the data to identify what’s important. This helps the organization collect all of the data they need to improve their cybersecurity while minimizing the risk that they’ll miss something.

Need more help choosing the right threat intelligence solution—or, do you need help managing your current cyber threat monitoring tools so you can get more bang for your cybersecurity buck? Contact the experts at Compuquip Cybersecurity today for help selecting and managing your threat intelligence tools.

network-security-checkup