Subscriptions Not all threat intelligence subscriptions provide the same things. Many provide low-volume, high-conÕdence indicators and reports; others provide considerable volume with variable conÕdence; and some providers may focus on one type of threat (e.g., advanced persistent threats, cybercrime or hacktivism). This intelligence may come from dark web or deep web analysis, proprietary collection mechanisms and/or analysis of open source information. 20% The process of identifying and vetting data that is valuable for a speciÕc organization is of organizations outsource their threat challenging due to the sheer volume of these types of open, paid and internal sources. Even intelligence collection and/or feeds when sources are selected and data collection begins, many organizations are not capable of ingesting the full scope of what is provided (e.g., Indicators of Compromise (IOCs)), or determining action from data-heavy reports. Importantly, pivotal context surrounding information provided in feeds and reports is often missing, leaving the organization trying to understand the relevance without the background of why the data is important. Subscriptions should not just be limited to the automatic integration of feeds and electronic delivery of reports, but rather should be custom-Õtted to the industry and the organization’s needs in order to enable actions. This can be achieved by the provider working with the organization to determine the right selection of subscription offerings, which can be a combination of: Tailored technical indicator feeds for automatic integration 14% • • Informative webcasts and training events to target the operationalization of threat of organizations outsource their threat intelligence intelligence analysis Analyst-delivered brieÕngs to inform both security operators and executives • Industry- and business-speciÕc reporting on current events, emerging cyber threats and • trends on customized time schedules to meet operational needs (daily, weekly, etc.) Timely event-driven updates with analysis on signiÕcant and relevant cyber events • Having direct analyst support to deliver products, provide brieÕngs, answer intelligence related questions, and tailor analysis and recommendations to an organization’s threat landscape is pivotal for maximizing the use of subscription services. 50% Intelligence platforms of organizations have analysts that read and subscribe to speciÕc open Some threat intelligence solutions provide a combination of feeds in a technological source resources to keep their security platform that enable visualization of data, and with such a large number of cyber threat operations center (SOC) up to date intelligence providers to choose from, organizations can be tempted to select vendors offering this type of pre-conÕgured, stand-alone solution because these types of vendors are often immediately available and can initially appear to be more cost-effective. However, upon purchasing this service, organizations often realize that they have been left to make that data actionable and relevant for themselves, have little ownership of the data, and are at potential risk for contract fee increases while not fully realizing the value of their purchase. Intelligence platforms can be a crucial component to cybersecurity when combined with key processes within a mature intelligence program to visualize collected data and support long-term trending. Trending analysis can provide valuable insight speciÕc to the organization and to industry by showing changes in adversary tactics, techniques, and procedures (TTP) over time, and patterns in intelligence of value determined when key stakeholders take 41% the time to document their intelligence requirements. This analysis is most effective when of GISS respondents say their SOC captured in a way that leaders Õnd meaningful to business risk decision-making and the has a paid subscription to cyber prioritization of countermeasures and remediation activities. threat intelligence feeds @ow do you Ônd the criminals before they commit the cybercrime? — A close look at cyber threat intelligence | 7
Cyber Threat Intelligence Report Page 8 Page 10