The threat landscape has been dynamic and ever changing, and the growth and rapid advancement in cyber-attacks against enterprises and individuals have rendered traditional cyber-security measures virtually obsolete.
To combat the new age of threats, more security enterprises are turning to threat intelligence, a vector or a knowledge item that is based on evidence, context, mechanism, indicator, implication or actionable advice on a threat to assets that is about to emerge. This vector or knowledge will help enterprises to respond and remediate threats before vulnerabilities are exploited and before the occurrence of a security incident.
What exactly are the companies in the “threat intelligence” business doing? Just to take the example of a couple of threat intelligence companies the generic service description will read like this...“Our automated tools and proprietary AI algorithms minutely examine the web for “threat indicators” (read suspicious activity). They find some xx million such cases every day. We then filter this data, tag it, and give it to human analysts to find out those couple of hundred nuggets of information that might be useful to our client for preventing cyber-attacks”.
These companies also claim to provide 24x7 information portals and provide continuous access to data such as phishing attacks, URL’s or domain names, IP addresses, hosts, targets, cyber-attack indicators and threat actors. The key values proposition here is (read it carefully) “your busy IT team does not have the time and capabilities to analyze emerging threats”.
Who is there to decide that the so-called “emerging threat” is also a threat for our organization? Who ensures that this is not looked at by the firewall that our organization already has in place? What is the incremental threat perception improvement that these services provide? How different does it sound from an organized, well-funded attempt at making people pay for junk information that insinuates fear?
It is essentially impossible to find out what is information and what is intelligence. The information dump that is being sold as intelligence in the name of “threat intelligence” is not even worth a penny, if we look at it practically. All the latest “intelligence” about the new forms of attacks or evolving threats makes sense only if it can be fed into the existing defense mechanisms in real time, and that too auto-improves to combat the threat in real time. Sadly, that is still some time away.
The best of the best that is available right now or that is claimed to be available comes from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL). It has been named This offers 3X higher predictive abilities and 5X fewer false positives than the best threat intelligence analytics available today. Even this breakthrough threat intelligence platform takes several hours to refine the continuously generated threat models. Research and common sense tell us that a couple of hours are what it takes for cyber-criminals to intrude, steal and get away.
The moral of the story is, threat intelligence might become a usable reality one day with tangible advantages and real business benefits, but as of now, it can only be classified as a "fad" that is being used by the security technology firms to milk clients by playing on fear, without really offering much in return.