← @kwm Twitter archive
Keith
@kwm
First: Let's agree that threat intelligence isn't really what 99% of orgs are looking to collect, apply. That would be "threat indicators."
2/6/2016, 6:37:51 AM
Favs: 2
Retweets: 0
linkKeith
@kwm
I feel similarly about threat indicator application as I do about SIEM: If you've made no attempt to DIY, you should not buy.
2/6/2016, 6:38:09 AM
Favs: 0
Retweets: 0
linkKeith
@kwm
Forcing the org to collect and apply its own threat indicators exposes issues like "we don't have the tooling to collect and/or apply."
2/6/2016, 6:38:18 AM
Favs: 0
Retweets: 0
linkKeith
@kwm
Once you've established that you can collect and apply your own indicators, get a simple open source tool and start pulling open feeds.
2/6/2016, 6:38:27 AM
Favs: 0
Retweets: 0
linkKeith
@kwm
Open threat indicator feeds aren't great: the red team has access to them, too. But again they prove that you can ingest, curate, apply.
2/6/2016, 6:38:36 AM
Favs: 0
Retweets: 0
linkKeith
@kwm
Orgs that buy indicator services or platforms before DIY invariably end up with unrealistic expectations and miscalculate risk.
2/6/2016, 6:38:45 AM
Favs: 0
Retweets: 1
link