Threat Feed Evaluations: Primary Questions to Answer

In this third post of our threat feed evaluation blog series, we outline essential questions that evaluators should address during the evaluation process. While these questions cover the most critical aspects for filtering or blocking use cases, organizations should also consider additional inquiries that may be more specific to their unique environments.

Before we dive into the questions, let’s review the main takeaways from the two previous blog posts in this series that detailed the key considerations for threat feed evaluations and the top 3 misconceptions.

• Focus on relevance, accuracy, timeliness, ease of integration, and actionability for threat feed evaluations.
• Curated threat intelligence from zvelo enhances decision-making and improves threat detection, response, and mitigation.
• Quality triumphs quantity; avoid basing evaluations solely on the volume of threats.
• Avoid using open-source and old threat data for comparison due to potential duplicates and false positives.
• Consider blocking threats at both the base domain and full-path levels.

With the above points in mind, below are the main questions you should be able to answer by the end of your evaluation.  Again, these represent questions that are the most relevant to the majority of blocking and filtering use cases, but may not address the needs of every organization.  

1. Does this feed contain unique threats that I don’t already know about?  
   • If so, what is the quality of that data in terms of relevance, accuracy, and timeliness?  
   • Is the feed limited to delivering only active or recently active threats? 
   • What is the false positive rate?  
2. How much does this feed overlap with what I already have?  
   • If there is significant overlap, is it more or less expensive than my current solution?  
   • Depending on the overlap, does it make sense to replace my current solution or would it be more effective to augment it?  
3. Does my current solution include a lot of threats that this new feed doesn’t?  
   • If so, what is the quality of that data in terms of relevance, accuracy, and timeliness?  
   • Is my current feed limited to delivering only active or recently active threats?
   • What is my current false positive rate?
4. Does this new feed show evidence that the data is actively maintained?  
   • Do threats get pruned? 
   • If so, how do the threats get pruned? 
5. Does the threat data contain enough contextual information so that I know what a row represents?  Or is it just a random row with no clear indication of why it is bad?

By answering these questions and seeking additional insights specific to your organization, you can make informed decisions and select the most suitable threat feeds to enhance your defense strategy.  We encourage all evaluators to share any additional questions you may have. Our technical team is available to offer advice and best practices for finding those answers with a high degree of accuracy.

Additional Resources

The following blog posts are additional resources that highlight the complexities of the curation process as well as the importance and value of curated threat intelligence data:

In-House Threat Detection Begs a Multi-Million Dollar Question

From Raw to Refined: 5 Reasons to Get Curated Threat Intelligence 

Why Curated Threat Data is Critical to Effective Threat Protection

Premium Threat Intel: A Vital Investment in Cybercrime Prevention