In world of increasingly complex cyber threats and sophisticated bad actors that wield them, threat intelligence programs are crucial tools organizations can use to protect themselves.
They pull in data from multiple sources, analyze and correlate it to identity threats, see patterns, and understand their adversaries, then use that information to build their defenses. Enterprises know this. According to cloud security platform vendor
Breachsense,
93% have threat intelligence programs.
The question becomes how effective are those programs, and how well are they using that information.
“Most organizations today have some form of threat intelligence, but far fewer have taken a step back to evaluate how well that intelligence actually supports critical decisions and operations that protect their people and assets,”
Steven Weinstein, senior vice president of Intelligence at threat intelligence firm
Flashpoint, told MSSP Alert.
For many companies, such programs grow organically, inside security operations centers (SOCs) and vulnerability and fraud teams, but without shared frameworks for prioritizing requirements or collecting feedback, Weinstein said.
“Over time, teams accumulate tools, feeds, and reports, but struggle to answer basic questions like, are we collecting the right intelligence? Is it reaching the right people? Is it driving timely action?” he said. “Without defined intelligence requirements and feedback loops, it’s difficult for teams to assess whether they’re missing upstream threats, over-prioritizing noise, or relying on generic intelligence that isn’t tailored to their environment.”
Assessing the Intelligence
Flashpoint this week unveiled its new free Threat Intelligence Capability Assessment, which organizations can use to evaluate how the intelligence works across the spectrum, touching on requirements, tasking, feedback, and then re-tasking, according to the company.
Beyond putting a score on the program, the assessment also is designed inform what the information means for operations, find what could be limiting the effect of the
threat intelligence, steps for strengthening the intelligence workflows, and develop a 90-day planning framework.
The Differentiator
It’s what separates Flashpoint’s threat intelligence assessment from those of others, Weinstein said.
“Many teams equate volume with quality, assuming that more feeds, more alerts, or more dashboards automatically translate into better intelligence,” he said. “In practice, teams often don’t have clear visibility into where their intelligence comes from, how well it aligns to their most important risks, or whether it’s actually influencing decisions.”
Most other assessments focus on inputs, such as tools, headcount, or abstract maturity levels, he said. Flashpoint’s assessment helps surface gaps in the intelligence operations by focusing on how it’s scoped, collected, analyzed, and acted on, rather than just whether it exists.
A Big Market
The importance of threat intelligence can be seen in the expected growth of the global market, which analysts with
Fortune Business Insights expect to jump from $6.87 billion to
$31.58 billion by 2034. Cybercrime isn’t going anywhere, they wrote, noting that on average, a new company is victimized with ransomware every 10 seconds around the globe.
It’s also a crowded market with dozens of vendors that range from
CrowdStrike,
Mandiant, and
IBM to
Palo Alto Networks and
Recorded Future.
Intelligence for MSSPs
Threat intelligence systems are also important to MSSPs and other security services vendors, which are increasingly assuming the role of trusted security advisers. Flashpoint’s new assessment “serves as a conversation and planning tool,” Weinstein said.
With it, MSSPs can baseline a client’s entire intelligence capabilities rather than just focusing on tools, identify where intelligence is breaking down, use services to close gaps rather than address “assumed needs,” and demonstrate value over take by proving progress when organization retake the assessment, he said.
“Many service providers are being asked to deliver more proactive, intelligence-led outcomes,” Weinstein said. “This assessment helps MSSPs and MSPs frame that work clearly, set realistic expectations, and guide clients toward more effective use of intelligence, whether the provider is delivering collection, analysis, operational support, or advisory services.”