John Lennon popularized the phrase, “Life is what happens when you’re making other plans.”  And that’s an apt characterization for how we think about threat intelligence. We tend to focus on it to block or alert-on an attack. Meanwhile life is what’s happening to our threat intel while we’re making these plans. When we don’t pay attention to the threat intelligence lifecycle, we can run into trouble. 

Let’s take a brief look at some of the key considerations during the threat intelligence lifecycle – from birth to life to death – and how to optimize the value you’re getting from threat intel at each stage. For a more detailed discussion of all the facets to consider, download our new datasheet: Managing the Threat Intelligence Lifecycle through Scoring and Expiration.

In managing the threat intelligence lifecycle, it’s crucial to consider the full cycle from birth to expiration. Effective scoring and timely expiration ensure intelligence stays actionable, relevant, and reduces noise, enhancing decision-making from the start. 

Birth 

This phase is all about choosing the right intelligence, otherwise you face the challenge of adding noise to your threat intelligence platform (TIP). To avoid gaps in intelligence, there’s merit in casting a wider net. But before ingesting all that data, asking a few simple questions will help you assess its value to your organization.

• Does it include useful context to help with prioritization and analysis?
• Is it relevant to your geographical region or industry?
• Is the data provided in a format that is useful for you and can it be pre-filtered so you just ingest what you need?

Consider having a person review the first few ingestions to determine and prioritize those indicators that are most relevant and reduce the noise. 

Life

In this phase, the focus is on getting value as the data ages. Often what’s missing is an ability to prioritize the data based on the requirements of your organization, both internal and external, to reduce noise, minimize false positives, and focus on what matters to the organization and your threat landscape. 

Over-reliance on generic global risk scores provided by vendors that aren’t specific to you or your industry vertical can lead to misallocation of resources and a skewed view of your threat landscape. A customer-defined scoring methodology allows you to dictate your own risk posture based on your resources, tools, and other team priorities. 

It’s important to remember “relevance not severity.” Just because something has a high CVSS severity score, or is a huge threat to financial services firms, may not mean it poses a significant threat to you. Prioritization with custom scoring lets you dial-in on what’s truly important for you. 

There also comes a time in this stage of the lifecycle when the usefulness of the data diminishes, and it is time to retire it by moving it from Active to Expired status. Threat actors evolve their tactics, techniques, and procedures (TTPs) quickly, so holding onto data for too long can strain resources and provide little security value. Regularly reviewing threat intel to validate what indicators are still being actively used, and retiring those that are not, helps keep security tools operating at peak performance.

Death

The final stage in the threat intel lifecycle management deals with the disposal of data. What do you do with the subset of data stored in your TIP that has no sightings against it, has a low score, and expired three months ago. Is it still providing value?

While it may be tempting to hold onto that data, the fundamental truth of threat intelligence is that time is of the essence. Just as you need to leverage automation to minimize the time between discovery of intelligence and leveraging it in your estate, you also need processes in place to handle this phase efficiently because threat intel gets old quickly. Data policies should be created with a “business first” approach, compiled into a data retention plan and then applied to your TIP. 

For more details and additional considerations including why to keep data after it has expired, the value of creating additional status categories besides Active and Expired, and ongoing review of the value of data, download the datasheet.