← @kwm Twitter archive

Keith

@kwm

First: Let's agree that threat intelligence isn't really what 99% of orgs are looking to collect, apply. That would be "threat indicators."

2/6/2016, 6:37:51 AM

Favs: 2

Retweets: 0

Keith

@kwm

I feel similarly about threat indicator application as I do about SIEM: If you've made no attempt to DIY, you should not buy.

2/6/2016, 6:38:09 AM

Favs: 0

Retweets: 0

Keith

@kwm

Forcing the org to collect and apply its own threat indicators exposes issues like "we don't have the tooling to collect and/or apply."

2/6/2016, 6:38:18 AM

Favs: 0

Retweets: 0

Keith

@kwm

Once you've established that you can collect and apply your own indicators, get a simple open source tool and start pulling open feeds.

2/6/2016, 6:38:27 AM

Favs: 0

Retweets: 0

Keith

@kwm

Open threat indicator feeds aren't great: the red team has access to them, too. But again they prove that you can ingest, curate, apply.

2/6/2016, 6:38:36 AM

Favs: 0

Retweets: 0

Keith

@kwm

Orgs that buy indicator services or platforms before DIY invariably end up with unrealistic expectations and miscalculate risk.

2/6/2016, 6:38:45 AM

Favs: 0

Retweets: 1