In May 2019, Flashpoint CEO Josh Lefkowitz shared in SecurityWeek tips for evaluating threat intelligence vendors that cover the deep and dark web. While indeed helpful for those who seek such services, as I have established in my previous column, not every company actually needs deep and dark web monitoring. Therefore, I wanted to look at the entire threat intelligence space and provide some thoughts on how to evaluate the best vendors for you. After all, the offerings of the vendors in this space can vary dramatically in concept and execution, many have nothing to do with the dark web yet their intelligence can be crucial to many organizations.
Understanding What You Need is Key
Threat intelligence is a term that is used to cover quite a few different offerings, all with the common denominator that the deliverables contain data that should be helpful in improving the overall security posture of the organization. This means that “Threat Intelligence” can be a blacklist of known malware servers, mentions in dark web discussions, or identifying that a threat actor has registered a domain very similar to the company’s. Data provided as part of threat intelligence deliverables can range between generic and customer-specific, FYI and actionable, broad and very specific, raw data and fully analyzed, and various other aspects. To make matters even more complex, some threat intelligence offerings focus on proactively identifying potential threats and reporting on them, while others focus on enriching information already in possession of the customer. For example, if a SOC has identified an incident involving an IP address and wants to receive more information on that IP address. Proactive identification of threats and enriching data are two completely different use cases that provide value in different parts of the security operations.