What Are the Most Common Threat Intelligence Mistakes?

December 3, 2019 Eric Dosal Eric Dosal

Threat intelligence is quickly becoming a crucial aspect of proactive cybersecurity strategies. Many organizations use threat feeds and other intelligence solutions to anticipate the types of cyber threats. They will have to contend with and make preemptive adjustments to their network security.

However, not every organization makes the best use of their threat intelligence solutions—making mistakes that could cost them down the line. How can your organization avoid these threat intelligence mistakes? Here’s a quick explanation of threat intelligence, some common mistakes, and what you can do to make the most of your own intelligence solutions:

What is Threat Intelligence?

Threat intelligence is more than just having a cyber threat feed or a security information and event management (SIEM) tool. It’s a set of processes, tools, and guidelines for proactively identifying potential threats and assessing their risk. Ideally, the organization then takes preemptive measures to counter the cyber threats that they’re most likely to encounter and suffer significant harm from.

Effective threat intelligence is never a “one and done” solution—it’s an ongoing process that uses many tools and constant updates to proactively identify and counter cyber threats.

Top Threat Intelligence Mistakes

There are many mistakes that can be made when creating or running a cyber threat intelligence program. Here are a few of the most common ones:

  1. Failing to Act on Gathered Information. One of the most common mistakes that organizations make is gathering data for their threat intelligence plan… and then completely neglecting to do anything with the information. This is often because the important insights that they need to act on are buried deep in a sea of data bloat from a poorly-optimized SIEM solution or set of threat feeds. Or, it can be because the organization lacks the right skills/tools/resources to make the necessary changes.

  2. Not Prioritizing Fixes. A key part of any cyber threat intelligence program is being able to prioritize cyber threats based on their likelihood of occurrence, their potential impact, and how easy the fix is to implement. The most likely threats with the biggest impacts and easiest fixes should always be prioritized first, while less likely threats with small impacts that are hard-to-fix should be handled last. However, many organizations focus only on one of the three prioritization criteria—which leads to wasted time and resources while leaving major cyber threats unaccounted for.

  3. Failing to Verify and Update Threat Feeds. Cyber threat data feeds can be a great way to learn what threats are the most likely to affect your organization—so long as those threat feeds are kept up to date. It’s important to check from time to time whether a particular data feed is still keeping up to date. If the feed is not being maintained, it may be time to find a new one.

  4. Putting the Wrong People in Charge of Threat Intelligence. There are many skills that are covered under the “cybersecurity” umbrella—and not every network security engineer will know how to handle all cybersecurity tasks (even though they’ll likely have a better foundation than a non-expert). It’s kind of like going to the optometrist for your heart surgery—sure, they’ll know a bit more about anatomy and surgical procedure than a “layman,” but that’s not what they specialized in. When creating a threat intelligence procedure, it’s important to ensure that whoever is in charge of that procedure knows how to vet threat feeds, prioritize threats by level of risk and ease of fix, and how to counter various types of cyber threats. This is why many companies turn to a managed security service provider (MSSP) to handle their threat intelligence—managed security companies tend to have a variety of experts on their staff who can provide the right insights for effective cyber threat intelligence.

The Cyber Threat Feed Advice You Need to Hear

So, how can your organization avoid making the mistakes outlined above? You’ve kind of already completed the first step by becoming aware of these issues. However, there are a few more things that you should do, including:

  • Conducting Regular Threat Assessments. When you’ve gathered a bunch of information about various cyber threats, you need to assess them so you can know how likely each threat is to affect your organization—and how bad the results could be. Using this information can help you prioritize your biggest cybersecurity risks so you can prevent attackers from using them.

  • Staying on Top of Security Patches. Many of the cyber threats out there are already known to software developers—and they frequently release security patches to counter those threats. So, while not directly related to threat intelligence, staying on top of your software security patches can be an easy way to counter many cyber threats.
  • Periodically Reassessing Your Threat Feeds. Threat intelligence feeds should be pruned every now and again to verify that they’re still providing valuable data without creating data bloat. If the information from a threat feed isn’t valuable, it may be time to find a new source of information.

  • Setting SIEM Custom Alerts. SIEM solutions can provide a lot of data about active cyber threats on your network. However, without some way of ensuring that the right people see that data, it can easily be buried in a sea of noise—other information that is not pertinent which the SIEM records. Setting custom alerts for your SIEM solution can help make the most important information stand out from the noise so you can act on it more easily.

  • Using Managed Security Services. Recruiting and retaining cybersecurity experts in-house is incredibly difficult and expensive—especially when you’re looking for a specific skill set. Using a managed security service to provide threat intelligence not only gives you access to a well-developed list of threat intelligence feeds; it helps ensure you have access to experts who know how to put that information to use.

Need help creating or optimizing your threat intelligence program? Reach out to the Compuquip Cybersecurity team today for advice. We’re eager to help and have the expertise to ensure that you get the right insights to better protect your business.

how-to-choose-the-right-mssp-guide

cdo-guide-to-omnichannel-security