My Threat Intelligence Can Beat Up Your Threat Intelligence

Have you ever been in a vendor meeting and heard the vendor extol the greatness of their threat intelligence?  You may have even seen a slide that looks similar to this:

The vendor probably proceeded  to highlight the key differentiators that make their threat intelligence network stand second to none.  Bullets containing statistics like this surely followed:

• Global coverage, in well over 100 countries
• 50 million network devices
• 50 billion web queries each month
• 30 billion emails a month
• 100 million users

I have been in countless meetings and presentations where this exact scenario has occurred and I get déjà vu every time I hear it. In fact, if you simply swap out the vendor logo you could almost use the same slide deck.  Threat intelligence networks are like opinions, everybody has one.  Vendors are often surprised when I tell them that their threat intelligence networks aren’t that unique.  Vendors collect data from their offerings. Vendors like Cisco or Juniper leverage their networks offerings, players like McAfee or Symantec leverage diverse security portfolios, content delivery companies like Akamai leverage their content delivery networks, and so on; you get the idea. Am I saying there isn’t value in these threat intelligence networks?  Absolutely not, my position is that the vendors aren’t deriving actionable intelligence that is significantly different from the competition and there is considerable overlap in what is being observed. The vendors are looking at the same malicious activities from slightly different perspectives. Vendor threat intelligence networks are commoditized.

After I explain my position to the vendor who has just attempted to marvel me with their threat intelligence network capabilities I like to dig deeper and focus on the research that accompanies the threat intelligence network.

• How have you specifically leveraged threat intelligence in your offerings? 
• What are specific examples of threats that you have provided proactive protection for?
• What % of overall revenue is dedicated to threat intelligence/research?
• How many employees (non operations) make up your threat intelligence/research team?
• What languages do you support?
• What periodic research do you publish?
• How many advisories have you published?

Dear vendor product marketing and sales teams, please understand that your threat intelligence is helpful and we expect that you have it, but it isn’t terribly different from your closest competitors.  The real story on threat intelligence is your organization’s ability to develop your own, but I will save that for the future.