Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

One key number that is generally accepted and that every CISO watches is “200-days.” As reported in many widely accepted reports, that’s been the average amount of time between an initial compromise and when its actually discovered in an organization. Law enforcement, a business partner or independent researchers are often the ones to inform an organization that they’ve suffered a data breach. In an effort understand possible indicators of compromise (IOCs), many organizations gather threat intelligence data. This data contains information about bad actors on the web, machine generated domain names, known bad IP addresses, lists of email addresses used for phishing campaigns and other data.