I spoke with Brandon Hoffman, Chief Strategy Officer at Intel 471, about the challenges and advantages of operationalizing threat intelligence.
A core focus for Intel 471 is providing threat intelligence. “We’re specifically focused on closed sourced, or what some people call ‘dark web threat intelligence,’ which means it’s not so easy to get,” Hoffman said. “We have researchers all around the world who collect information and we process that information into a usable format. We share that with our customers through our platforms.”
Watch the full interview or jump to select interview highlights below.
Interview Highlights: Brandon Hoffman on Operationalizing Threat Intelligence
This interview took place at the recent RSA Conference in San Francisco. The comments below have been edited for length and clarity.
The Various Flavors of Threat Intelligence
Traditionally, the challenge of threat intelligence is that it comes in a couple of different flavors, Hoffman explained. “There’s malware-related threat intelligence, like indicators. Those are somewhat easier for customers to operationalize because it’s a technical component that you can put in another technical system.
“But real adversary-focused threat intelligence, which is one of the things that we specialize in, is difficult because it generally comes in a report format. So customers need a group of analysts or threat intelligence experts on their side, on their bench, so to speak, working inside the company who know how to dissect that information, process it, and use it and apply it to the problems inside the company itself,” he said. “As opposed to something like a technical indicator, which you could put into a SIEM or a SOAR or a firewall, and it would just do what it needs to do. So that becomes the challenge.
“There’s a lot of rich data available inside of threat intelligence and unlocking the power of it into an operational system is where we’re focused because that’s one of the biggest challenges we see today in the market.”
Selecting a Threat Intelligence Solution
The first hurdle for customers in selecting a threat intelligence platform is selecting what type of solution is best for them, Hoffman said.
“It depends on the problems the customers are facing. So we have things like open source intelligence, we have vulnerability intelligence, there’s malware intelligence, there’s adversary intelligence.
“Depending on the problem that the company is trying to solve and how integrated security operations and threat intelligence itself is into the business fabric, that will help you decide what you need.
“Now on the operational system side, you have things like TIPs, you have SIEMs, you have SOARs, you have EDR. There are a variety of different operational systems. These are the systems that customers run in their network or on their systems that help them enforce security controls.
“So the type of intelligence you have, the problem you’re trying to solve, will tell you what systems you want to apply the problem to.”
The Titan Offering
“Our classic offering is a product we call Titan,” Hoffman said. “That’s a threat intelligence portal where customers can go and set their requirements, what they’re looking for, the things that are important to them. Like, we’re looking for this type of threat actor, or we’re concerned about this type of attack. What information do you have inside of that portal?
“There are a variety of different ways that the information is delivered. Some of it’s just raw information that somebody could consume and use on their side. Some of it’s finished reporting that might go to the executive level. Some of it’s very technical that people will consume through a programmatic interface, an API. That’s our classic offering – there are lots of different types of intelligence in there.”