Know how you are going to make the intelligence gleaned from threat feeds actionable before you ever agree to let them into your building.
Threat feeds provide intelligence on attacks discovered in the wild by anti-malware vendor research organizations. This real-time intelligence is delivered to enterprise subscribers primarily as an early warning system enabling security teams to take corrective actions on high priority threats while awaiting signature updates to your vendor’s pattern files. This has to be a great idea - every minute counts when warding off a cybersecurity threat that is steaming towards your organization. If your vendor cannot prevent damage from these threats, at least they can toss you information so you can protect yourself!
Unfortunately, there is no such thing as a free lunch when it comes to security. Threat feeds can be fire-hoses of intelligence that are useful mostly to organizations with high powered security operations centers to consume and interpret attack information. Few of you have the experienced staff and incremental budget resources to make much use of threat feeds. In fact, most threat feed vendors stumble on the "so what?" question of how an enterprise can put the informatino to work and make the the threat feed data actionable. If you want to have some fun, just ask your vendor’s salesperson what they expect you to do with this data.
Some of you are intrigued by threat feeds and will do anything to prevent damage from attacks. For you, threat feeds can nourish you with the intelligence you need to be autonomous if you are prepared and reasonably resourced. The main question you should be asking when adding threat feeds to your security strategy is, “how can my security team be better than my vendor’s team of threat research professionals?” You should consider these three prerequisites for adopting threat feeds:
Can you aggressively filter the feed to provide intelligence only on threats to your specific environment? The burden is on you to reduce the broad-based intelligence provided by the threat feeds to narrowly-focused intelligence that pertains to your business. It is your responsibility to know what is on your network – operating systems, application software, patch levels, open vulnerabilities, etc. – especially for systems that IT determines to be mission critical. You probably do not have a large research team so it is imperative that you be able to pare down the intelligence to a level that you can handle.
Do you have the in-house expertise to develop anti-malware signatures for intrusion prevention systems or virtual patches for host-based protection or tune firewalls on the fly? This means having the insight to adjust firewall rules without destabilizing access to applications, to create virtual patches to increase the probability that critical servers remain operational when the threats arrive, and to develop and deploy anti-malware signatures in your network IDS/IPS filters. Having threat feed intelligence delivered to you only helps your security efforts if you can act on the information while your vendor develops, QAs, and deploys a permanent solution.
Can you afford a strategy of interpreting and acting upon intelligence delivered by threat feeds? In essence, you are doing the job of your security vendor when you start analyzing threat feeds and developing your own antidotes (that you then own for support and removal when the vendor solution arrives). You shouldn’t have to pay your vendor a premium for that privilege. Heck, they should pay you! Add in the fully burdened costs of a threat research and action team to make the threat feeds worth having and you have a sizable investment. If nothing else, use this line of thought to get price consessions from your threat feed vendor.
Access to threat intelligence compiled by research teams should be easy for your anti-malware vendor since detecting new attacks is the foundation of their business. However, I am guessing that your enterprise security team is not in the anti-malware security business in quite the same way. When evaluating threat feeds, be sure you can act on the intelligence that the feeds deliver otherwise you are wasting your time.