Lightweight portable threat intelligence for the enterprise

SPRT067Does your enterprise threat intelligence feed get you down? Does the wide-ranging list of IP’s, URLs, and other IOCs make you feel bloated? Do you have acronym fatigue? Then you should get lightweight portable threat intelligence for the enterprise. It is all the security with half the weight. Get all the information you will ever need and less calories. With nine easy steps you to can have the new, trimmer, and better-looking threat intelligence you deserve.

<insert 80s back beat sound track or Blue Man Group musical number here>


Step 1) Parse and pare the information down. Do block the bad IPs and URLs as you never know if they are going to be declared a carcinogen. Try a low calorie version of IOCs and do not worry about the MSDOS IOC they list every week if you have not ran MSDOS since we started the new millennium. Are you sure you are not running MSDOS?

Step 2) Get up and get moving. Threat intelligence without action is like eating bonbons on the couch. You cannot trim down the enterprise risk profile like that. Get up and get moving. Active defense is not hack back it is the new in way of moving your enterprise assets. Agile development practices are a great pattern for information security.

Step 3) Get out of the house and into the sunshine. This is more than dispensing with cold war mythological security practices and castle analogies of defense in depth. This is considering the open source practical software and information sharing practices of the most mature enterprises on the planet. The really bad bugs hide in the darkness of our own misadventure. Under the harsh glare of open sharing and light they are burned up faster than a Bram Stoker Dracula. Put a stake in a vampire today and share your enterprise threat intelligence with VanHelsing.

Step 4) Run your incident response enterprise like a production asset. There is never enough time to do predictive security because you invest in it like you buy tennis shoes. The intelligence enterprise should be refreshed and renewed often to keep things shiny. When you bought those Adidas sneakers they were in fashion and they have been in and out of fashion again. No matter how long you wait, getting breached is not going to be in style. Really. I promise. NEVER GOING TO BE IN STYLE.

Step 5) You do not have to hire a fortuneteller to see the future. Predictive analytics is not voodoo. Get a predictive analytics program up and running at least as a trial so you can keep your threat intelligence in context. Think of it this way. The funnel of probability is most exact the closer you get to the now. If it is telling you bad stuff, at least you might be able to write a letter to your successor. Predictive threat analytics does not drive you to the gymnasium it is more like a GPS making sure you do not go to the ice cream shop accidentally. On purpose.

Step 6) You hired them for their skill and kept them for their results. You have a security team and they are rock stars. Like three people outside of their organization understand what they are saying, and you are sure a few of them are snacking between meals. Be that all true they are your second line of defense. Your first line of defense is the boardroom making sure the policies are aligned with the realities of your enterprise. Give those folks in security a break and write the rules down. That way the can react responsibly and give your new lightweight threat intelligence a real work out.

Step 7) Stale threat intelligence is like stale donuts. All of the calories and none of the yum. Rather than invest in stale, high calorie, fattening threat intelligence try maturing your organizational context to the point you generate your own. The products you buy and the feeds you utilize give secondary and tertiary context to what is happening at home. There is nothing like putting home grown threat intelligence on the table to make everybody happy. In a time of constrained resources it is more important to hit the gymnasium and exercise your threat analysis program than it is to let somebody else do all the work for you.

Step 8) If you go for a jog around the block and see a bus don’t run out in front of it. Get out of the way. Knowledge of impending doom is not actionable unless you tell your legs to get out of the road. You would be better sitting on the couch with a box of donuts than running in front of the bus. Wearing bright colors and telling everybody you are going for a run really just tells the burglars when you are going to be away. Actionable means responsible.

Step 9) Watch out for hidden calories but keep the good calories. Not all calories are the same. You might actually want antivirus on your laptops because they leave the safe enclave of your enterprise IDS/IPS and go home with the staff. Good calories make your threat intelligence more resilient to nasty bugs. Bad calories are just fatty. Bad calories look like IDS/IPS signatures for IOCs and such that are extraneous to your enterprise.


Enterprise threat intelligence for the enterprise is set of processes and procedures that allow you to get in front of the issues of information security. You have products you can purchase and when meshed with internal programs such as data analytics and active defense can make you significantly more secure. These cost resources which is usually a lot of sweat equity. One of the key resources is a feedback mechanism between the different layers to empower and yes hold responsible the defensive actors in your network.

No one information security strategy is going to solve all of your enterprise issues. Seek consultation with a doctor before starting a new threat intelligence program and start out slow before sprinting. Results will vary between industries and the level of regulation, compliance overhead, and size of the enterprise will impact results. Though security conferences are often infused with alcohol threat intelligence is best done while sober. Unless the news is bad.


Leave a Reply