How to Use Threat Intelligence for Security Monitoring and Incident Response

Threat Intelligence is becoming a ubiquitous capability in many security tools. It is a key aspect of security architecture that helps security and risk management technical professionals detect, triage and investigate threats. This research provides guidance on how to use TI capabilities.

Key  Findings

  • Threat intelligence (TI) improves an organization’s detection and response capability by increasing alert quality, reducing investigation time, and adding coverage for the latest attacks and adversaries.
  • Modern security tools can ingest and leverage threat intelligence. However, they often don’t include guidance on the best way to utilize it.
  • Using threat intelligence improperly will result in more noise and false positives. Proper upfront planning for TI usage is critical.

Gartner recommends governance and risk leaders should do the following: 

  • Collect TI requirements based on the threats faced and technology use cases. Tactical use cases deliver TI to your security controls, while strategic use cases leverage TI to educate and inform stakeholders.
  • Curate threat intelligence before delivering it to stakeholders and security controls, by applying scores, expirations and enrichments.
  • Deliver tactical threat intelligence to your existing security controls by using API- or TAXII-based integrations. Deliver strategic threat intelligence to stakeholders within your organization by creating regular reporting.
  • Assess the effectiveness of the threat intelligence by tracking metrics and describing the impact of TI. Use information about a threat in combination with observables attributed to that threat to demonstrate losses prevented.