I recently hit my fifth anniversary here at Digital Shadows (now ReliaQuest). I’ve been reflecting on how the threat intelligence market has evolved since joining. One theme in my analysis is noise. It was a problem for defenders then, and surprise, it’s still a challenge. Data is growing at an incredible pace; according to Business Intelligence platform DOMO, “over 2.5 quintillion bytes of data are created every single day”, with an estimated 1.7MB of data being created every second for every person on earth. With the amount of data created expanding exponentially in growth and the security telemetry of organizations growing as well, our noise problem isn’t going to get any better. There is a reason SIEM solutions are migrating to the cloud, on-premises solutions (and your wallet) can’t keep up with the volume and velocity of data.
I looked back at my first Digital Shadow blog titled “Why I Joined Digital Shadows (now ReliaQuest),” and I also looked at one of my final Forrester Research blogs on the space, “Starting soon: Threat Intelligence Platforms research” for context. I was looking at the threat intelligence market across four different areas at that time, and I thought it would be an excellent way to frame my reflections today:
- Providers. There are still a TON of threat intelligence providers in the market, and if you aren’t judicious with your vendors, you can drown in alert noise. I wrote about “indicators of exhaustion,” and despite the Jedi teachings in The Pyramid of Pain and the tactics and techniques in MITRE ATT&CK, we as security practitioners still have an IOC noise problem. One difference is that noise has grown beyond IOCs; vulnerability intelligence, credential dumps, and third-party risk monitoring have generated their noise. What you thought would be easy to consume ends up dynamically creating more work and disrupting your team at scale. On a very positive note,, we are now much better at understanding that we need to focus on internally produced threat intelligence that complements the right external threat intelligence. We can’t go and buy “all the threat intel things.”
- Platforms. The Threat Intelligence Platform (TIP) space has been disrupted over the past five years. Despite the initial TIP focus of being an IOC “clearinghouse,” noise remains a problem. Threat intelligence providers have been building TIP capabilities within their platforms, and SIEM vendors have been developing more TIP functionality. We also have the Security Orchestration, Automation, and Response (SOAR) players capturing the TIP budget, forcing the TIPs to add SOAR functionality themselves. If you do need a TIP, my buddy Andreas Sfakianakis has done some outstanding research in this space if you are building or buying a TIP: “Excelling at Threat Intelligence Platform (TIP) requirements.”
- Enrichment. Context was king, and it remains so. Analysts want to look at an alert, artifact, whatever, and get the additional context that aids their analysis. Enrichment can be a double-edged sword though, vendors inside and outside the threat intelligence space can overwhelm teams with too much or unprioritized enrichment. When I was a Forrester, I used to tell my vendor clients that you need an easy button for your data. You can have valuable enrichment data, but if it isn’t presented in a helpful way with an intuitive user interface, it is just noise.
One other observation for enrichment is that we often focus on external enrichment, but we need to focus on internal enrichment. In a world full of noise, having internal context to filter and prioritize enrichment is essential. Identity information around high-value targets, applications, and infrastructure associated with business-critical systems provides useful enrichment.
- Integrations. Captain Obvious here: actionable intelligence isn’t actionable if you can’t integrate it into your security operations. . The emergence of SOAR and strategic acquisitions from Splunk and Palo Alto Networks illustrate how important the “last mile” has become in the past five years. One of my SOAR observations is that many organizations can’t afford a purpose-built SOAR platform and instead look to their existing security stack to build native SOAR capabilities. Vendors need to have out-of-the-box integrations with operational playbooks and well-documented playbooks. We need solutions that fit into our security ecosystems.
The market has matured in many great ways, and the appeal of Digital Shadows (now ReliaQuest) remains with me. What I wrote five years ago still rings true:
“Organizations struggle to measure the value of their threat intelligence sources, and one of the primary drivers for this is that the majority of today’s threat intelligence lacks relevance to a specific organization and their threat model. Digital Shadows (now ReliaQuest) stands out in this regard. Our clients receive relevant intelligence specifically tailored to their vertical, geography, supply chain, and their organization.” I appreciate this statement even more since I wasn’t running operational security back then. As a security organization,
we eat our own dog foodwe eat our own BBQ, which is to say, we are a Digital Shadows (now ReliaQuest) customer, and we use SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) and ShadowSearch every day. We have an agile team, but we face resource constraints like all of you. We don’t have time for noise.
If you’re interested in reducing data feed and security alert noise, my colleague Michael Marriott wrote a blog, “Threat Intelligence Can Be Noisy: SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) Helps” which digs deeper into how Digital Shadows (now ReliaQuest) technology and global team of analysts operate. You can also get a demo request of our industry-leading technology here.