In the last decade, threat intelligence catapulted to the forefront of security operations as companies like Mandiant and iSight Partners started to introduce forward-thinking leaders to the actors behind the breaches. In 2010, Mandiant released their first report on APT-1 and it kicked off a new category and a decade of growth and fragmentation in threat intelligence.
By 2015, investment in threat intelligence had reached a frenzy with new commercial ‘feeds’ popping up every week, along with the first generation of Threat Intel Platforms that tried to aggregate and corral the noise.
Perhaps the best example of the bloated threat intelligence market is Norse Corp., a startup that generated industry hype and $25M in funding with provocative attribution reports and its flashy “near real-time” threat attack map. Norse imploded in 2016 when company whistleblowers and security researchers revealed much of its threat intelligence sensor data was illegitimate.
Norse’s now infamous interactive threat map revealed as dubious by company whistleblowers and researchers.
Today, new intel providers seem to emerge every week and yet the security industry is still grappling with the purpose of commercial threat intelligence.
In 2020, researchers from universities in the Netherlands and Germany, compared threat indicators from four open source threat intelligence feeds and two commercial feeds.
Even in tracking the same advanced persistent threat (APT) groups, threat intelligence vendors did not seem to collect the same data. Focusing on 22 threat groups that both vendors claimed to be tracking, the researchers found, at most, a 4% overlap in threat indicators.” This raises questions about the coverage that these vendors are providing,” says Xander Bouwman, a PhD candidate at Delft University of Technology. “This is what we refer to as a market with asymmetric information," he said. "The sellers know what they are selling, but the buyers don't know what they are buying."
In order to close this market gap and realize the value of intelligence for enterprise security in the coming decade, we have to unite around a definition and a purpose.
- a government department or other group that gathers information about other countries or enemies, or the information that is gathered:
- the ability to learn, understand, and make judgments or have opinions that are based on reason:
We must face the reality that the modern-day enterprise is not the NSA and the primary goal of intelligence functions in enterprise security is not to produce content to create tailored lists of targets or inform policy-making, as stated in Definition #1.
Intelligence for enterprise security is more about Definition #2 and the ability to surface these reasons and make judgements from data. The Cloud Security Alliance Working Group on Secure Intelligent Ecosystems addresses this shift head-on:
We must revise what we mean by “intelligence” in the context of cyber security. Intelligence can’t be seen simply as external intelligence data about adversary tactics, techniques and procedures. Rather it must be seen as the capacity of organizations to normalize, transform and automatically extract actionable insight and context from internal security tools and external sources to expedite detection and response.
This is the data-centric view of intelligence that is required when you accept that the primary mission of intelligence in enterprise security is to accelerate automation in security operations.
To learn more about how a data-centric view can streamline your approach to cybersecurity, read our complimentary white paper here. You can also view our on-demand webinar, Data-Centric Security Automation: The Future of Cybersecurity here.