Are There Differences Between Threat Intelligence Feeds?

While cyber threat intelligence hype is at an all-time high across the industry, many enterprise organizations are actually building internal programs and processes for threat intelligence consumption, analysis, and operationalization. 

This trend will likely continue. According to ESG research, 27% of cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees) say that spending on their organizations’ threat intelligence programs will increase significantly over the next 12 to 18 months, while another 45% say that threat intelligence spending will increase somewhat during this timeframe (note: I am an ESG employee). 

As part of this spending spree, many organizations plan to purchase additional commercial threat intelligence feeds from an assortment of vendors to get incremental information on Indicators of Compromise (IoCs), cyber-adversary tactics, techniques, and procedures (TTPs), even personal data on threat actors themselves.

Of course, there’s a lot of cybersecurity information for sale out there, but are any of these threat intelligence feeds really unique, or do many of them contain the same basic information? Well according to the ESG research, cybersecurity professionals’ believe there is little real differentiation. In fact:

• 21% of cybersecurity professionals believe that about 75% to 100% of the information contained in commercial threat intelligence feeds/services is redundant regardless of the source.
• 51% of cybersecurity professionals believe that about 50% to 74% of the information contained in commercial threat intelligence feeds/services is redundant regardless of the source.

So CISOs are basically paying for the same information multiple times which seems crazy to me. Why not standardize on the best threat intelligence feeds and eliminate all the rest? Because it is almost impossible to objectively compare threat intelligence. In fact, 26% of cybersecurity professionals claim that it is extremely difficult to determine the quality and efficacy of each individual threat intelligence feed, while 48% say it is somewhat difficult to determine the quality and efficacy of each individual threat intelligence feed. 

Now, this situation will likely change in the future as organizations build threat intelligence consolidation and analysis platforms (TICAPs) based upon open source CRITS, purchase commercial offerings from vendors like BrightPoint Security, ThreatGRID, and TreatQuotient, or use Splunk’s ThreatStream application. Armed with correlation tools and common dashboards, security analysts will be able to determine which threat intelligence feeds recognized each threat first, which provide the most details about cyberattacks, which contain the fewest false positives, etc. In this way, they can determine which feeds best serve their organizations and can the me-too offerings.

TICAPs deployment is in its infancy so I don’t expect ubiquitous enterprise deployment for a few years. In the meantime, many enterprise will continue to purchase a potpourri of intelligence feeds hoping that at least one of these will uncover the proverbial needle in the massive cybersecurity haystack. This means continued threat intelligence revenue, industry growth, and pervasive hype over the next few years anyway.