In cybersecurity, “threat data feeds” and “threat intelligence” are often used interchangeably. They are, however, quite different. To make matters worse, the term “threat intelligence” has been co-opted and watered down by vendors, making it even more difficult to define the difference between threat data feeds and threat intelligence.
An easy, and accessible, way to tell the difference is to think about weather forecasts. National TV news shows present a forecast for the entire country. You might get some useful information from this, but usually you just get an idea of what the weather is like nationwide. Local weather, however, drills down into the expected conditions for your specific area — not only temperature and weather, but also wind speed, barometric pressure, times for weather changes, and so on. You can use this information to plan out your actions for the next few days.
Using the weather forecast analogy, threat data feeds provide a high-level view of the security landscape. For example, it is useful to know that there is a vulnerability in a specific type of software, but it can be relatively trivial if that software is not in use at your organization. Likewise, knowing which threat groups are active is useful information, but how do you know if they are targeting your sector or organization and what processes and tools they are using?
Leave a reply