When it Comes to Threat Intelligence, a Multi-Vendor Strategy is Needed
No Intelligence Vendor Has 100% Visibility Into What is Happening on the Web
The fact that there is no silver bullet for cyber security, but instead every organization needs to work with a variety of vendors, has shaped the common practices of how we purchase security solutions. In many cases, there’s a checklist – we need a firewall, an end-point protection solution, a SIEM, a penetration service, a cloud security solution, and many other types of solutions to cover all of our bases. We review the alternatives in the market, compare their offering and their cost, allocate the available budget accordingly and prioritize. Once an item on the checklist is checked, we move on to the other items. After all, we don’t need two firewalls, or two SIEM solutions. However, in threat intelligence, an item that appears in many organizations’ checklists, it may be quite advantageous to have multiple vendors. Here’s why.
The purpose of threat intelligence is to collect data from a variety of sources outside of the organization’s perimeters and generate intelligence on what is happening “out there”, enriching the organization’s security operations. Just like a military would find it difficult to fight without any knowledge of the adversary’s position or movement, so is the security team at a major disadvantage without such information. Threat intelligence provides visibility that extends beyond the organization’s perimeters – and this visibility is based on the vendor’s coverage on intelligence sources.
The fact is that no intelligence vendor has 100% visibility into what is happening on the web. As organizations’ visibility is limited to what their threat intelligence vendors cover, by definition they will never have full visibility. In cyber security, where a single incident can be devastating to an organization, the greater the visibility – the better. Increased visibility means higher chances of detecting a potential incident and mitigating its threat. Considering that no two threat intelligence vendors have the exact same coverage – this is where a multiple vendors strategy comes into play.
The most efficient way to implement such a strategy isn’t just numbers. It’s not just about getting as many vendors as you can in the available budget – but choosing vendors that complement each other. Threat intelligence is quite a broad term, used to describe many types of offerings. More so than that, many threat intelligence vendors that have similar offerings may have quite a different coverage – with each having a different expertise and focus. Some vendors may try to be a one-stop-shop, covering as much as they can (but again, 100% visibility is impossible), while others may be more niche and provide complimentary services.
When reviewing a threat intelligence vendor as part of a multi-vendor strategy, it is best to review their unique value proposition – not so much in features, but in terms of intelligence. Do they provide intelligence that other vendors don’t? How many deliverables do they provide of a certain type that others also cover, compared to these other vendors? You may discover that the price of the intelligence service is well worth the unique deliverables by the vendor (i.e. intelligence alerts not provided by the other vendors).
The fact that some overlap exists, which is usually the case, is not a bad thing. Since the organization relies on the data coming in from the threat intelligence, without comparison it is neigh impossible to evaluate a single vendor. Having multiple vendors helps identify the strengths and weaknesses of each service – which may be quite helpful both on an on-going basis, but also when it comes a time to evaluate the current solutions being used and building a new stack of threat intelligence vendors that complement each other.
The necessity of multiple intelligence vendors is not a new concept in the industry, mainly in large enterprises. As a testament of that, we see the popularity of solutions designed to collect and process threat intelligence data from a variety of sources – including multiple vendors. However, there are still quite a lot of organizations who use threat intelligence but continue to see it as yet another item to cross off the list.