Anton Chuvakin (one of the leading Gartner experts in the Threat Detection space) had a recent blog post on some of the key questions one must ask while identifying the first threat Intel data source.
Here is the list
- What is the my primary motivation for getting TI, such as better threat detection, improved alert triage or IR support?
- Where do I get my first threat intel source [likely, a network indicator feed, IP/DNS/URL]?
- How do I pick the best one(s) for me?
- Where do I put it, into what tool?
- How do I actually make sure it will be useful in that tool?
- What has to happen with the intelligence data in that tool, what correlation and analysis?
- What specifically do I match TI against, which logs, traffic, alerts?
- What you have to do with the results of such matching? Who will see them? How fast?
- How to I assure that the results of matching are legitimate and useful?
- What do I do with false or non-actionable matches?
- How do I use intel to validate alerts producted by other tools?
- Do I match TI to only current data or also to past log/traffic data? How far in the past do I go?
The post is worth a read, as he has linked his earlier posts on this topic in this blog post. Do note that the white papers he has has linked requires GTP access.
Discover more from Hari Notes
Subscribe to get the latest posts sent to your email.
