Use Threat Intelligence Services for an Agile Defense

The wrong time to learn about a security threat is when it occurs.

The “fragile” state, learning about an attack when it is already underway, is the most dangerous for enterprises. Alternatively, learning about threats earlier in a hacker’s research of a target gives security professionals the agility necessary to combat an impending attack. That’s where threat intelligence services can solve the problem of gaining visibility of a threat before it arrives.

By 2018, 60% of large enterprises globally will utilize commercial threat intelligence services to help inform their security strategies, according to Rob McMillan, research director at Gartner, in Be Agile Not Fragile: Use Threat Intelligence Services to Defend Yourself with Ruggero Contu, research director at Gartner, at the Gartner Security & Risk Management Summit in National Harbor, Maryland.

Threat intelligence is:

  • Evidence-based knowledge
  • Including context, mechanisms, indicators, implications and actionable advice
  • About an existing or emerging menace or hazard to assets
  • That can be used to inform decisions
  • Regarding the subject’s response to that menace or hazard

Gartner IT Symposium/ Xpo®

Objective insights, strategic advice and practical tools to help CIOs and IT executives achieve their most critical priorities

Learn More

But intelligence is more than just a gathering of facts. Its strength is to go beyond the obvious, trivial, or self-evident information to correlate and analyze multiple data points. It should also include a range of information including the goals of the threat actor (whether it’s a person or malware), the life expectancy of the threat, the reliability of the information presented, and characteristics of the threat and outcomes for the organization.

Interestingly, while many vendors position their threat intelligence services for short-term, operational decisions, Gartner’s annual survey showed that 48% of users say they utilize threat intelligence services to support longer-term, strategic decisions, as opposed to 30% who utilize them for short-term purposes. Organizations should realize that threat intelligence is an important raw material for their strategic security plans. Keep in mind that certain intelligence may not bear fruit for two years, assuming a minimum 18-month cycle to implement a larger strategy/program that utilizes commercial services.

When security professionals manage incidents, they only see the clues left behind but won’t know the who, why, or how of the attack. “You don’t get to see the replay of what the bad guy did, only the wreckage of what was left behind,” McMillan says. Machine Readable Threat Intelligence (MRTI) is an example of a short-term, operational use to avoid an attack. Here, modern network devices can ingest content and make real time decisions on what to block or control. This provides a sense of agility in real time defensive architecture.

Threat intelligence can give some insight on whether the bad guys are after money, data, or just acting out of malevolence. Security professionals should consider it to make informed decisions about current threats, develop plans for emerging threats and develop agile response capabilities (e.g., with MRTI). In formulating a plan for its use, be clear about what question you need to answer and then select the right content and provider to answer that question.

Video replays from the Summit are available at Gartner Events on Demand.

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

How to Execute Effective Data Governance Initiatives

Follow these data governance best practices to deliver the value,...

Learn More


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching