With data breaches grabbing headlines nearly every week, threat intelligence is shaping up as the next big thing in information security. That, of course, means there\u2019s more hype and confusion to sift through.Promises of silver bullets run rampant in information security. Buy an appliance to keep the bad guys out of the network. Deploy this platform and kiss zero-day attacks good-bye. Invest in this other service for a single pane of glass that tells you exactly what's going on in your network.Now, throw threat intelligence into the mix: subscribe to these feeds and detect breaches before anything bad can happen! While the idea that threat intelligence can help improve enterprise security is a sound one, precious little attention is paid to how these systems can succeed.Everyone wants a piece of this red-hot market, but too many vendors are spinning their latest offerings as some form of threat intelligence, and enterprises aren\u2019t quite sure what they are getting. With CSO Online\u2019s Steve Ragan, we break down the confusion and snake oil surrounding the current marketplace and offer concrete tips on how to make threat intelligence work.The foundation of threat intelligenceYour first tip: If something looks like or used to be called a security information and event management (SIEM), it\u2019s still a SIEM. That isn\u2019t threat intelligence. A SIEM, however, can plug into a threat intelligence platform.[ ALSO ON CSO: Six questions: A brief Q&A on threat intelligence ]A functional threat intelligence system operates like a football team where the quarterback takes all the information -- from the referees, the scoreboard, the coaches, the teammates, and the opposing team\u2019s defensive line -- and decides which play to run. A threat intelligence platform plugs various types of data sources, including third parties such as VirusTotal, external intelligence feeds, and events data from endpoints, applications, and SIEM in the network, into a centralized intelligence platform. The security analyst uses the analytics tools provided by the software to make magic: All sorts of information flow in, and intelligence comes out. Understanding how that magic works is the tricky part.Tactical vs. strategicDefinitions matter, so let\u2019s get the first one out of the way: Threat intelligence helps IT and security staff make security decisions. The decision may be as straightforward as a retailer that wants to ensure the point-of-sale malware hitting other retailers has not infected its terminals, or as difficult as an organization worried about spear phishing attacks against senior executives that could result in intellectual property theft.\u201cEverything is now [trying to] be threat intelligence. But if it doesn\u2019t help you make a decision about your security, it isn\u2019t threat intelligence,\u201d says Adam Vincent, CEO of ThreatConnect, a threat intelligence provider.Threat intelligence can be applied tactically or strategically. The most common use case is tactical intelligence, where the security analyst takes the knowledge gleaned from the available information to generate rules that can be applied to firewalls, SIEMs, or other security products.For example, the security analyst learns through the threat intelligence portal that a particular PoS malware family always connects to the same command-and-control server. The analyst can get the IP address from the portal and proactively configure the firewall to block all connections to that IP address. The analyst can generate Snort rules that detect the malicious file and deploy them to determine when the infection occurs. The analyst can also hunt through available logs and network data to determine whether a payment terminal has already been infected with the file or has communicated with the IP address.Strategic intelligence is harder to achieve, and existing solutions aren\u2019t as good as delivering on this front as they are with the tactical side. Strategic intelligence lets security analysts assess the organization\u2019s security profile and decide how to mitigate the risk. It\u2019s similar to how enterprises use business intelligence. In both cases, analyzing different sets of data and putting them in context with each other will help the enterprise make the decision.Likewise, the organization may learn from a report (provided as part of an intelligence feed or derived from the threat intelligence platform) that an attack group has been targeting similar-sized organizations within the same industry. This attack group always goes after a specific application, transfers data to a FTP server, and creates a user account on the compromised server with the same name. Since the organization runs one of the applications under attack, the security team can strengthen controls to shut down FTP by closing port 21 and deploy new defenses around the application to make it harder for that attack group to succeed.For the most part, when organizations start out with threat intelligence, they are thinking tactically. \u201cFor strategic intelligence, there is room for improvement,\u201d says Rick Holland, vice president of strategy at Digital Shadows and a former Forrester Research analyst.Information does not equal intelligence There is a tendency to conflate information with intelligence, but they are entirely different. Information is data alone, and there\u2019s a ton of it. While some data can be useful on its own, most simply contribute to the overload. Defenders have too much data and no idea what to do with it.Intelligence has context, which helps defenders figure out how that data can be used to solve a problem or answer a question. Context can take many forms, including the nature of the attack activity, the freshness of the information, what industry verticals the data comes from, and the types and sizes of businesses that have been hit by those attacks. Context turns information into intelligence.Threat intelligence data feeds may contain indicators such as domain names, IP addresses, registry keys, filenames, and hashes of files. On their own, they don\u2019t mean anything. But if a feed flags files with a particular hash as malicious and able to communicate with a remote IP address, the security analyst needs to know.\u201cWhat everyone really needs is not more data, but more intelligence,\u201d Vincent says.1. Know what to buyBut the sheer number of threat intelligence providers and possible data feeds can be overwhelming for defenders trying to decide which ones to buy. There are feeds from private intelligence providers, public-private partnerships, industry groups, and even open source. There are aggregators, those providers that combine feeds from multiple sources, remove duplicates, and add insights to create their own threat intel flavor. It\u2019s not always clear at the outset what kind of intelligence is provided or even if there is overlap across feeds.\u201cIt\u2019s like the GMO problem, the ingredients aren\u2019t clearly labeled,\u201d says Chase Cunningham, director of threat intelligence at Armor, a secure cloud computing provider.The other challenge is figuring out what to buy. Some providers sell intelligence feeds, which refers to information collected and analyzed by the provider\u2019s own analysts to add appropriate levels of context. This isn\u2019t a data feed to bad IP addresses or blacklisted domain names, but rather a list containing actionable intelligence. Digital Shadows is an example of a company that sells intelligence feeds. Other providers sell both the feed and analytics software for security analysts to connect all data sources and uncover relationships and patterns within the data. ThreatConnect sells the software along with its own intelligence feed.If the enterprise buys only the intelligence feed, then it needs to have something into which to plug the data. That could be the company\u2019s existing SIEM, or it could be a threat intelligence platform from another provider.2. Evaluate the feedThis is a case where more is not necessarily better. Buying -- or subscribing to -- too many intelligence feeds only contributes to information overload. If the security analyst can\u2019t work with the provided indicators, then it becomes part of the noise. The analyst has to spend a lot of time trying to correlate different pieces of information with the indicators. If the feed doesn\u2019t provide the right level of detail or relevant insights, that\u2019s time and energy wasted.When deciding which feeds to buy, consider context such as industry sector and size of business. Premium feeds make sense for focused areas such as critical infrastructure, but if the defender is not operating in such an environment, the feeds won\u2019t be useful.\u201cDon\u2019t buy APT-related commercial feeds,\u201d says Stan Black of Citrix. Most IT teams have other threats to worry about before they need to think about beating back APT groups.Security teams need to have a specific question or problem they are trying to solve and map the intelligence to those objectives. If the security team\u2019s top concern is spear phishing attacks against senior executives, they won\u2019t benefit from intelligence describing which group uses which malware family, for example. The security team may decide to scrutinize incoming mail for spear phishing campaigns, monitor executives\u2019 laptops for unexpected behavior patterns, or track the network for unusual activity. Each approach would require a different type of intelligence.If the biggest concern is about attackers stealing account credentials and intellectual property, \u201cI need feeds which I can do something about, such as what IP address to block on my firewall,\u201d says Black.Open source intelligence -- frequently derided by commercial providers -- can be useful to get a general sense of existing threats. Security teams need to assess whether the open source feeds provide insights specific to the industry or organization type before deciding whether to buy.The same goes for industry-specific feeds. A financial services organization needs to focus on the threats targeting the financial sector and not worry about the health care sector, for example. While as a general rule it\u2019s a nice idea to be aware of attacks impacting other industries since groups have been known to switch targets, very few security teams have the time and money to worry about what\u2019s happening outside their realm.\u201cWould I worry about Zika if I am not flying to South America right now?\u201d Cunningham asks. There are enough fires to put out and risks to address without looking at other industries.Don\u2019t blindly buy feeds and later try to figure out what to do with them. Instead, first establish security goals, then look for intelligence to apply. Otherwise, the feeds themselves become overwhelming and analysts struggle to prioritize the threats. For example, an organization may receive data feeds listing known bad IP addresses and malicious domain names. But if the feeds provide IP addresses of command-and-control servers, security teams trying to get ahead of phishing campaigns won\u2019t benefit as much from the list.\u201cIt\u2019s like being told, \u2018Driving on highways is dangerous.\u2019 OK, but how does that help me?\u201d Black asks. \u201cThere is a cornucopia of threats I don\u2019t care about.\u201d3. Know what you haveAmid the hoopla surrounding threat intelligence and how it can help organizations detect breaches, a simple fact is often overlooked: All the threat intelligence programs in the world won\u2019t be of any use if the security teams don't have a clear idea of the problems that need fixing. The security team must have a thorough understanding of the environment and its intricacies, along with where the data is stored. To do intelligence right, security professionals have to know what kind of information they have and what their capabilities are before they can figure out what to buy.The first place to start is with the logs. There is a wealth of data available, since there are logs for networks, applications, and endpoints. IT teams can even discover logs they didn\u2019t know about or logs that failed to generate because of a configuration issue. Figure out what kind of sensors are present and what kind of information is collected. Identify all the running processes and the kinds of data associated with each. Be familiar with what the firewall is blocking and letting through. Bring in information from incident response systems, vulnerability and risk management tools, and network defense solutions.\u201cHave you actually mined your own data and figured out what you have?\u201d Cunningham asks.Before committing human resources and limited budget dollars trying to ingest outside threat data, look at how the internal data sources are aggregated and continuously analyzed. Centralize the information -- whether in a threat intelligence platform or a SIEM -- and make sure someone is studying it. Add in third-party information, such as domain names data from OpenDNS and Domain Tools, and malware hashes from VirusTotal and VM Ray. By centralizing, the analyst can normalize, categorize, and analyze the information.Because every organization is different -- even if they are in the same industry sector or are direct competitors -- intelligence derived from internal sources can be extremely valuable because it reflects the organization\u2019s reality. Analysts can take into account the enterprise\u2019s own requirements and risk appetite when analyzing internal data sources.\u201cThat intelligence can\u2019t be bought; it has to be created by your own team,\u201d Vincent says.Consider what happens with a professional sports team. Once the coaches know who the team is playing, they analyze how the team performed against that opponent in the past. The coaches analyze their own performance in the game footage and create playbooks. Only after all that is done do they watch footage of other teams playing the opponent to gain additional insights they can use to tweak the playbook. In the same manner, security teams can determine which security improvements to make by examining their own logs.If the security team knows the enterprise has been attacked several times over the past few months, then it has to find and address the deficiencies, either by deploying new controls or adding defenses. By understanding what is actually happening, the team can prioritize what must be done to remedy the threats. The network defender can prioritize what to fix, what indicators need a follow-up, and what attacks to watch for. From a security perspective, the enterprise can either mitigate the risk or make the decision to accept the risk (and not do anything at all).Intelligence isn\u2019t derived from the traditional defenses alone, such as the firewall, Web application firewall, endpoint security software. Threat intelligence has to cross all areas, including vulnerability management, SIEM, and incident response.Look at all the event logs from applications, network devices, and endpoints. Find ways to hook into cloud services and mobile. Scan the enterprise\u2019s IP address blocks through specialized search engines such as SHODAN to see what systems may be exposed on the Internet. Even spreadsheets -- such as a list of all deployed endpoints containing the MAC addresses, IP addresses, and the username of the user owning the system -- should be included. More input leads to better decision making.\u201cThe very best data about your environment is yours,\u201d Vincent says.4. Know what comes nextDon\u2019t buy threat intelligence sight unseen. That\u2019s easier said than done, since many providers provide only Web demos and pregenerated reports during the sales cycle. Try before you buy, regardless of whether you are buying the feeds alone or the software platform. Look for the providers who will offer a trial run, at minimum, of 60 days, so the security team can access all the intelligence feeds, analytics tools, and reports. Several experts agreed that 60 days was necessary to gauge whether the indicators in the feeds were relevant, tactical, and useful.\u201cNot all threat intelligence is created equal,\u201d says Holland.For the feed, consider the effort required to connect the intelligence feed to the centralized platform. See how the feeds can be consumed by internal systems and how the intelligence can be integrated with internal data sources.The intelligence has to be useful and timely. One of the biggest problems with threat intelligence is the fact that if the indicators are stale and irrelevant, the intelligence derived from them is useless. The intelligence should complement what the organization already has in its own data sets and provide extra insights.Remember that sports team analogy? The benefit of external threat intelligence lies in the additional insights it can provide. Don\u2019t waste the money buying a product or a service that repeats what is already known.\u00a0\u201cIf the feed overlaps with what you already see from your firewall, then it has no value [to you],\u201d Cunningham says.For the threat intelligence platform, evaluate the analytics and the tools. Visualization tools are available to present threat intelligence in charts and graphs, much like business intelligence.Find out whether intelligence can be translated into an actionable plan that can be pushed out to or used to create defense tools. This could be a firewall configuration file, Snort rules, scripts for IPS\/IDS, or automatic data inputs for the SIEM. The instructions can be entered manually by the analysts and security operations teams or automatically sent to the corresponding security systems.The value of the threat intelligence platform comes from the analysis and how the resulting insights are fed into automated and manual workflows designed to protect the organization. Enterprises need to work with providers that provide intelligence analysis and operations support to complement existing corporate security teams, or offer organizations lacking in-house analysts with support to make sense of what they have.\u201cThreat intelligence is a process, not an end result,\u201d Vincent says. A successful intelligence program continually tunes, assesses, and modifies itself according to the changing threat landscape, shifting priorities, and adjustments to the risk profile. The IT and security teams revisit all the data sources -- externally and internally -- on a regular basis to ensure they remain relevant. Too many threat intelligence programs fail because no one is looking at how to mine the information and act on what\u2019s found.If the organization has evidence of attacks against an application, and the insights provided from the threat intelligence platform indicates the attacks are performed by a group that tends to steal credit card numbers, it falls upon the security operations team to protect the application or the credit card numbers. All the intelligence gathering and analytics do no good if nothing happens as a result. Security teams that understand that intelligence is both a strategic and tactical operation will get more value from threat intelligence than those that don\u2019t.\u00a0\u201cThreat intelligence is the brain. The devices and the rest of the network are the arms, legs, and eyes,\u201d Vincent says.