Over the past several weeks, there have been a number of high-profile cybersecurity vendors announcing poor business results due in large part to poor quality of threat detection and intelligence data. These results are directly attributed to companies foregoing high-quality, curated threat intelligence feeds in favor of ingesting raw threat data. This lack of refinement has resulted in considerable false positive rates, customer frustration, and erosion of trust.
Curation is the vital process by which threat data is de-duplicated, verified for accuracy, pruned for inactive threats, and subjected to numerous other checks to ensure the threat data being provided can be trusted.
Despite the importance of curation, many cybersecurity vendors have consciously decided to reduce costs by ingesting raw threat data with little or no curation to stay competitive in the growing SASE, XDR, and related markets. While this saves money in the short term, the decision can have profound consequences in the mid-to-longer term as the quality of the vendor’s service and protection drops.
Compounding this problem is that many of the threat intel feed providers have likewise been forced for economic reasons to reduce or eliminate any efforts at curating their feeds. The result is that the quality of raw threat intel feeds has dropped significantly at the very time that many vendors have cut back on their own curation efforts.
In the midst of this threat data quality dilemma, threat intelligence feeds still stand as a valuable source of insights into potential threats and vulnerabilities. However, the sheer volume of data produced can make it challenging to effectively utilize this information. The incessant flow of alerts, logs, and notifications can quickly overwhelm even the most seasoned analysts, blurring the line between genuine threats and mere noise. It’s clear that in this whirlwind of information overload, a shift is needed. A shift from quantity-focused approaches to more quality-centric strategies that rely upon curated threat intelligence feeds.
Embracing curated threat intelligence provides a solution to the myriad of problems associated with raw threat data feeds. Here are the top 5 reasons why curated threat data triumphs over raw threat data:
- Elimination of Manual Curation by You (or Worse, Your Customers): Raw threat feeds demand that you or your customers undertake the labor-intensive task of curation. This involves validating, analyzing, and sorting through mounds of data to separate the wheat from the chaff. On the other hand, curated threat intelligence already comes analyzed, vetted, and organized, freeing up valuable time and resources.
- Reduction of False Positive Rates: Raw threat data is notorious for producing high false positive rates. This means benign activities are often incorrectly flagged as malicious, leading to unnecessary alerts. Curated threat intelligence, however, is meticulously examined and verified to reduce the risk of false positives, providing a more accurate threat detection.
- Prevention of Alert Fatigue: The high volume of false alarms associated with raw threat feeds can lead to alert fatigue, causing crucial threats to potentially go unnoticed. Curated threat intelligence filters out irrelevant noise, allowing security teams to focus on the most significant threats, thus preventing alert fatigue.
- Enhanced Customer Satisfaction: Missed threats and vulnerabilities can negatively impact customer satisfaction. The high precision of curated threat intelligence ensures that crucial indicators of compromise are not overlooked, bolstering the defense against potential attacks and thereby increasing customer satisfaction.
- Cost-Effective Infrastructure Management: The storage and processing of raw threat data can incur excessive infrastructure costs. By providing only relevant and actionable intelligence, curated threat intelligence eliminates the need to store and process irrelevant data, resulting in significant cost savings.
The adoption of curated threat intel shouldn’t be viewed as a one-time solution but rather as an ongoing process — a dynamic approach that allows organizations to adapt effectively to a constantly changing threat landscape. Cybersecurity vendors need to acknowledge the inherent drawbacks of relying solely on raw threat data and to proactively shift their focus towards the use of curated threat intelligence. This isn’t simply a strategy for short-term cost reduction; it’s a long-term investment in the sustainability and dependability of their services.
Choosing curated threat intelligence does more than just eliminate the need for time-consuming manual curation. It brings a suite of benefits — reducing false positive rates, preventing alert fatigue, increasing customer satisfaction, and managing infrastructure costs more effectively. Making the transition to curated threat intel is not just advisable; it’s a strategic necessity for maintaining the robustness of our cyber defenses. The old adage “quality over quantity” has never been more relevant than it is now, particularly in the field of cybersecurity.
