What we do
Cyber Security Threat Intelligence, or Threat Intel, is information which organisations use to determine if they are to be, are being or have been the subject of a Cyber threat. This information forms part of the organisation’s preventative and preparative activities when responding to known or suspected threats. Such threats can take numerous guises and have a range of impacts, including brand damage, financial loss, service disruption or regulatory impact. To counter and protect against these threats, here at Softcat we see great value in having good quality and comprehensive Threat Intel.
The integration of an accurate, solid, reliable cyber threat intelligence source is the bedrock of an efficient Security Operations Centre (SOC). In the absence of cyber threat intelligence sources, your detection capabilities are reliant on lesser reliable methods such as:
Incorporating threat intelligence sources into a SOC can help reduce threat hunting time, proactively uncover security incidents and reduce investigation time. Advantages of good threat intelligence are not only limited to your SOC teams, it can also support other cyber functions such as Compliance and Governance, Threat Modelling and Risk Management activities.
Just like software, threat intelligence falls into two main models, each with its own set of merits and limitations:
Closed source – these are typically commercial solutions which incur a cost to use. Intelligence generated by these services can remain closed source, but some can trickle into the open source domain over time. Closed source typically provides a higher quality of available tooling and training, as there is funding to cover these components and a higher volume of intelligence output compared to its open source counterpart. Quality review is more rigorously undertaken on an active basis and, in some instances, is independent of the originating source to ensure accuracy and trustworthiness of the intelligence.
The somewhat more contentious point would be to crudely apply the old saying of ‘no such thing as a free dinner’ and assume that the quality of closed source threat intelligence is greater than that of open source because closed source uses a paid-for model and therefore must be better than its ‘poorer’ open source counterpart. In reality, there is some really good security intelligence that comes from hard working security people operating open source threat intelligence communities, you just need to be conscious that there exists the potential for a greater degree of ‘drift in validity’ of information in open source than closed!
A ‘drift in validity’ can materialise a number of ways:
These two threat intelligence types (open and closed) should augment and improve your internal self-generated threat intelligence that you gain first hand from your own incidents and cyber activities (red teaming, etc). So, which to choose?
The two types have their merits:
If you’re interested in finding out more about threat intelligence, speak to your account manager, or click below.
We would love to hear any comments you have about this article!