The threat intelligence problem
There are a bunch more problems with threat intelligence, that aren’t discussed in this article. I also highly recommend watching the following video from DEF CON 22, Alex Pinto and Kyle Maxwell’s: Measuring the IQ of your Threat Intelligence feeds (paper here). This discusses the problem of the threat intelligence feeds, from multiple different companies, and the fact that they share very little commonalities with one another. So, in order to get a full scope of coverage from a threat intelligence network, one must subscribe to several feeds, that have a very high cost.
Quoted from FierceITSecurity:
Here are five problems with threat intelligence products (and this also serves as a great warning sign checklist for any other new technology products that are being sold to you at RSA as the ‘next big thing’):
1. It offers malware analysis, even though the massively expensive undertaking helps nobody but the threat intelligence company, as it resells that information to other customers;
2. You can replace “indications of compromise” in any supplied literature with “AV signatures” without any change in how the product really works;
3. It is sold on a per-host basis–just like AV!;
4. Your company gets the same anomaly model as every other company; and
5. After installing a “lightweight” agent, the CISO gets no additional real situational awareness other than where an incident occurred. Ask yourself if you can quickly and easily tell your board that you know every executable that has been run across your enterprise today. If not, you’re not buying the situational awareness you need in the modern world. And if you are, you don’t need indicators of compromise to make your enterprise more secure–you just need to look at the data!
You can read more on this article at FierceITSecurity