Blanket Deployment of Intelligence is Counterproductive

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Blanket Deployment of Intelligence is Counterproductive


One of the core workflows within SOC/CIRT Teams these days is automatically consuming intelligence in the form of indicators and deploying them to detection technologies. It seems really easy and simplistic, but it also encompasses one of my biggest operational pet peeves – blanket pushing information to tools without really thinking it through.  So many teams don’t really stop to consider the dataflows of information and just PUSH, PUSH, PUSH!!

I have managed a couple of large SOC teams and in most cases in my initial assessment I noticed the team was ingesting about 20K indicators per day including commodity junk, DGA, doppleganger FQDNs, and sexier targeted attacks and then “blanket pushing” everything to everywhere!  The result? Some tools drop packets, firewalls and proxies slow to a crawl, and packet capture consistently tips over.  Obviously there are a lot of parameters that weigh into the degradation of systems so I cannot conclusively link these issues to the volume of indicators, but it absolutely amplified the problem.

The ThreatQ platform offers a two-step resolution through our new scoring feature. It starts by properly scoring intelligence for your environment, which I’ve discussed in detail in multiple blogs and in a new whitepaper. But it also  fine-tunes exports so that they are technology specific (…novel idea right?!).  The new scoring feature in TQ drastically improves how customers deploy the right intelligence to the right security technologies.  

With the new scoring feature customers can redefine, recalculate and reevaluate threat scores for their specific environment. This capability allows them to quickly become more strategic about WHERE they deploy intelligence!  Now customers can export intelligence to specific security technologies with greater confidence and reliability. For example, intelligence with higher threat scores can be deployed to blocking technologies (i.e. firewalls, IPS, DNS, web-proxy, endpoint, etc.), whereas, intelligence that poses less of a threat or is less reliable can be distributed to detection technologies (i.e., IDS, netflow, etc.). This helps minimize false positives while stopping real threats faster..  This is a critical component for companies with limited infrastructure tools already pushed to their health limits, and overburdened teams.

Download the white paper now.

The post Blanket Deployment of Intelligence is Counterproductive appeared first on ThreatQuotient.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About ThreatQuotient
ThreatQuotient™ understands that the foundation of intelligence-driven security is people. The company’s open and extensible threat intelligence platform, ThreatQ, provides defenders with the context, customization and collaboration needed to ensure that intelligence is accurate, relevant and timely to their business. Leading global companies are using ThreatQ as the cornerstone of their threat operations and management system, increasing security effectiveness and efficiency. For more information, visit

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?