What is a threat feed? (and what it’s not)
The cyberthreat ecosystem is ever evolving as attack volumes grow and tactics shift to be more and more creative. For cybersecurity teams, knowledge and situational awareness is power, and staying apprised of the latest threats by tapping into emerging intelligence is crucial to combat threat actors.
But where does this threat intelligence come from? How is it leveraged? And what are its limits?
Defining threat feeds
One of the sources that organizations derive their cyberthreat intelligence from is threat feeds, which provide continuously updated data containing threat information, including indicators of compromise (IOCs) such as suspicious IP addresses and domain names as well as the tactics, techniques and procedures (TTPs) used by threat actors. Often, organizations leverage multiple threat feeds, both free and paid, to gather as much intelligence as possible with the goal of identifying and responding to threats more accurately and quickly, thus reducing risk exposure.
There are many benefits to leveraging threat feeds. For example, well-curated, timely threat intelligence from a trusted source can save security teams valuable time and allow them to better allocate their resources. Automating data collection and notification enables teams to detect, prevent and respond to threats sooner, more efficiently and accurately. This allows companies to reduce costs, scale their defenses and free up resources to focus on threats that require more complex analysis.
Threat feed limitations
Although a threat feed can be a valuable cybersecurity tool, providing a window into a complex and rapidly changing landscape, it is not a security solution in and of itself. Think of it this way: if you buy a threat feed, then you’re buying actionable data… but you still need to act on that data. So really, you’re buying yourself more work.
What’s more, not all threat feeds are created equal, and some can exhaust your resources with false positives. Intelligence must be reviewed and prioritized before it’s acted on, as acting on inaccurate or out-of-date information could have costly consequences, such as wasted time and resources. Or, even worse, it could cause security incidents—resulting in data exfiltration, loss of intellectual property and impacts to critical systems and data availability.
Feeding a comprehensive security solution
The key to effectively leveraging a threat feed is to integrate it into a comprehensive security solution with proactive blocking. For example, solutions like Secure Access Service Edge (SASE) unify your network and security management while embedding high-fidelity threat intelligence, automatic detection and proactive response within the service. This takes some of the work off your plate by automatically blocking threats based on high-confidence data.
Through Lumen’s expansive and deeply peered global network, we have extensive visibility into the global threat landscape, and can thus see and stop more threats at scale based on intelligence from our threat-research team, Black Lotus Labs. Black Lotus Labs feeds its high-confidence data directly into Rapid Threat Defense—the auto-blocking capability for Lumen Security Solutions—every 15 minutes, so organizations are protected in real time from threats that other organizations may not be able to detect.
This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue.