Blog

Building a Threat Intelligence Environment

Threat intelligence (TI) is more than just collecting data feeds and supercharging your SIEM. You'll need to understand what TI is and isn't to gain value.

Travis Farral
July 5, 2018
Table of contents
<p>On June 27, I had the pleasure of participating in an <a href="https://www.anomali.com/resources/webcasts/building-a-threat-intelligence-environment" target="_blank">SC Media webcast</a> on building a threat intelligence environment. The host, <a href="https://www.scmagazine.com/stephen-lawton/author/3616/" target="_blank">Stephen Lawton</a>, posed some good questions about challenges and misconceptions around building a threat intelligence program inside an organization.</p><p>Since threat intelligence first became a new buzzword in information security some years back, many companies have espoused features friendly to this seemingly new technology. Unfortunately, threat intelligence was not a concept easily understood by typical IT security types. Early players in the threat intelligence space didn’t help the spread of misconceptions by implying that a list of IP addresses or domains was in itself, intelligence. Fortunately, the industry has mostly matured beyond this but some of these misconceptions still persist.</p><p>In order to truly get value from threat intelligence, it’s important to start out on the right foot. Understanding what threat intelligence is and isn’t is a fundamental component of knowing how it can benefit an organization. Threat intelligence is not a list of anything. It’s not IP addresses or domains or hashes or URLs. These are just information. Granted, intelligence can be derived from lists, but the lists and the objects in the lists themselves are not intelligence. Intelligence is taking available data (perhaps from lists) and extracting meaning from that data for the purpose of providing insight into decision-making. <em>Threat</em> intelligence is performing this process around threats, either real or perceived.</p><p>As I discussed with Stephen in the webinar, since an organization is going to be concerned with threats to itself, it makes sense then that any threat intelligence program should start with internally available data that can support intelligence analysis. Mostly this should be attacks observed by that organization. Information from the SOC and incident response efforts are the perfect place to start.</p><p>We went on to cover a lot of important ground on how to build a threat intelligence environment. My hope is that it helps those looking to start or expend threat intelligence efforts in their organizations and maybe dispel some common myths along the way.</p><p>A recording of the webcast is available <a href="https://www.anomali.com/resources/webcasts/building-a-threat-intelligence-environment" target="_blank">here</a>. Slides from our discussion are available <a href="mailto:marketing@anomali.com ">upon request</a>.</p>
Travis Farral

Travis Farral is the former Director of Security Strategy at Anomali. Travis is a seasoned IT security professional with extensive background in corporate security environments.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

July 5, 2018
-
Travis Farral
,

Building a Threat Intelligence Environment

<p>On June 27, I had the pleasure of participating in an <a href="https://www.anomali.com/resources/webcasts/building-a-threat-intelligence-environment" target="_blank">SC Media webcast</a> on building a threat intelligence environment. The host, <a href="https://www.scmagazine.com/stephen-lawton/author/3616/" target="_blank">Stephen Lawton</a>, posed some good questions about challenges and misconceptions around building a threat intelligence program inside an organization.</p><p>Since threat intelligence first became a new buzzword in information security some years back, many companies have espoused features friendly to this seemingly new technology. Unfortunately, threat intelligence was not a concept easily understood by typical IT security types. Early players in the threat intelligence space didn’t help the spread of misconceptions by implying that a list of IP addresses or domains was in itself, intelligence. Fortunately, the industry has mostly matured beyond this but some of these misconceptions still persist.</p><p>In order to truly get value from threat intelligence, it’s important to start out on the right foot. Understanding what threat intelligence is and isn’t is a fundamental component of knowing how it can benefit an organization. Threat intelligence is not a list of anything. It’s not IP addresses or domains or hashes or URLs. These are just information. Granted, intelligence can be derived from lists, but the lists and the objects in the lists themselves are not intelligence. Intelligence is taking available data (perhaps from lists) and extracting meaning from that data for the purpose of providing insight into decision-making. <em>Threat</em> intelligence is performing this process around threats, either real or perceived.</p><p>As I discussed with Stephen in the webinar, since an organization is going to be concerned with threats to itself, it makes sense then that any threat intelligence program should start with internally available data that can support intelligence analysis. Mostly this should be attacks observed by that organization. Information from the SOC and incident response efforts are the perfect place to start.</p><p>We went on to cover a lot of important ground on how to build a threat intelligence environment. My hope is that it helps those looking to start or expend threat intelligence efforts in their organizations and maybe dispel some common myths along the way.</p><p>A recording of the webcast is available <a href="https://www.anomali.com/resources/webcasts/building-a-threat-intelligence-environment" target="_blank">here</a>. Slides from our discussion are available <a href="mailto:marketing@anomali.com ">upon request</a>.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.