How to Maximize the ROI of Threat Intelligence Investments

ThreatQuotient Logo

I recently came across a blog from our partner ThreatQuotient. The blog focused on maximizing the value of cyber threat intelligence investments and discussed limitations traditional security solutions have using threat intelligence. The challenges discussed were consistent with what we’ve seen first hand here at Threater and revolve around the limitations existing security controls like next-generation firewalls have when integrating threat intelligence. Our ability to solve this challenge in a Smart, Simple, and Scalable way has been one of the important keys to our success.

In this blog, we will take a look at the challenges discussed in ThreatQ’s blog. We will then take a look at these challenges from the Threater perspective and discuss how our platform helps customers to overcome these challenges.

Threat Intel Limitations of Existing Security Controls – The ThreatQ Perspective

The ThreatQ blog discussed five key limitations existing security controls have when it comes to threat intelligence. Quoting directly from the ThreatQ blog these include:

  1. Volume: The sheer number of indicators makes it difficult to keep devices well-informed about all the attacks going on in the wild. For example, there are only so many blocking rules a firewall can realistically implement at any given time.

  2. Performance: Vendors focus on the most widespread threats to limit how many signatures they need to deploy because performance degrades as the signature set grows. Less prevalent attacks or threat actors may not make the cut.

  3. Timing and timeliness: The speed of adversary activity creates gaps before updates are released and deployed. It also takes time for vendors to validate threat information – especially for blocking actions. Moreover, to block / detect an attack the signature needs to be on the security device before the attack happens.

  4. Customized attacks: Adversaries make changes to malware, or how their attacks are delivered, to avoid detection by pre-existing rules and signatures.

  5. Closed intel loops: Most vendors collect intelligence, formulate signatures and push them to their products via closed-loop systems. They do not share their threat intelligence or the way their signatures function, nor do they provide the ability to add threat intelligence without going via their analyst team. There is no way to verify if a particular attack will be blocked without asking the vendor or testing it. Note, this is changing and some vendors have APIs that at the very least, allow you to push your own threat intelligence into their system.

The Threater Perspective

Let’s take a look at the limitations ThreatQ identified, compare them to our customer interactions, and show how our platform is helping our customers overcome them.

  1. Volume: An issue we see constantly at Threater is the significant limitations next-generation firewalls have integrating third-party threat intelligence indicators. These limitations include total indicator volumes, the number of lists, and the size of lists. To put this in perspective, one of the top next-gen firewalls on the market can only support a maximum of 150,000 IPs in its external block list. It doesn’t take much threat intelligence data to hit this limit. We discuss this issue in more detail in the blog Real World Customer Examples Illustrate The Threat Intelligence Challenges with Firewalls.

    How Threater Helps: Our platform was purpose-built to detect and block threats using large volumes of threat intelligence from multiple sources. By large, we’re talking about the ability to detect and block threats using up to 150 million third-party IP and domain indicators, which far exceeds the capability of any next gen firewall.

  2. Performance: We believe that performance is one of the key reasons why firewalls have limitations using third-party threat intelligence. The fact is firewalls are challenged enough keeping up with the ever growing array of functions they’re performing and this leaves minimal processor cycles to devote to supporting third-party threat intelligence. An interesting data point is that even for the limited third-party threat intelligence that firewalls can support, customers often point to negative performance impacts as the size and number of blocklists grows.

    How Threater Helps: Not only can our platform block threats using up to 150 million IP and domain indicators but we do this with zero latency and no performance impacts on your network. And that’s zero latency whether our platform is using 5 million indicators or 150 million. Our platform also does not have limits on the number or size of lists. It’s worth noting that this is all accomplished by our Threater software that operates on a commodity x86 computing platform. Said another way, our awesome patented software enables us to achieve this scale without the need for proprietary or specialized hardware.

    There’s another important way our Threater platform helps organizations overcome performance challenges with firewalls. The majority of our customers deploy our platform in front of their firewall. This not only provides them with another layer of protection but also improves the performance of their firewalls. They are able to block known noisy threats with the Threater platform freeing up the firewall to focus its more processor-intensive deep packet inspection (DPI) resources on a reduced amount of cleaner traffic.

  3. Timing and timeliness: When it comes to actionable threat intelligence, timing and timeliness is everything. The only thing that is constant with threat intelligence is that is it is constantly changing. In today’s dynamic threat environment, threat feeds are constantly changing with indicators coming on and off lists, scores constantly changing, etc. Therefore, having threat intelligence data that is continually and automatically updated in real time is critical.

    How Threater Helps: At Threater, our platform is all about using real-time threat intelligence to block bad traffic. We do this by partnering with best-in-class providers of threat intelligence (commercial providers, open source, government, and industry) providing 30 million “out of the box” threat indicators. We also do this by providing an open platform that can easily integrate IP and domain threat indicators from any source including Threat Intelligence Platforms (TIPs), SIEMs, SOAR, and other systems. The threat intelligence in our platform is continually updated in real time, ensuring that your network is being protected with the most current threat intelligence. Importantly, this is also happening in an automated way.

  4. Customized attacks: The challenge here is that attackers are increasingly making moves to evade signature-based detection. This means that it’s critical to operate with a layered defense model and to use threat intelligence from multiple sources so you are not reliant on one or a few vendors to detect and block threats.

    How Threater Helps: The Threater platform adds an additional layer of network protection that complements existing controls like next-gen firewalls. As mentioned above, we provide 30 Million “out of the box” threat indicators from multiple, leading sources (commercial, open source, government, and industry) providing a day one increase in network protection. The open nature of our platform also makes it easy for you to integrate IP and domain indicators from any source.

  5. Closed intel loops: This reinforces two issues that we’ve previously discussed. The first is that next-generation firewall providers detect and block threats using proprietary threat intelligence, which is too narrow a view of the threat landscape. The second is that firewalls have significant limitations integrating third-party threat indicators, which means they are effectively closed systems when it comes to using threat intelligence.

How Threater Helps: At Threater, our strategy is centered on using a large and diverse mix of threat intelligence to detect and block threats. In addition to the 30 million “out of the box” threat indicators from leading sources, and the easy integration of customized IP and domain indicators, we also offer powerful protection from up to 150 million IP and domain indicators. This means you can use all the threat intelligence you want to protect your network.

As we can see, there are challenges with threat intelligence that include the ability to take action on it and the limitations incorporating it into existing security controls. Threater helps organizations solve these challenges by maximizing the ROI of their threat intelligence investments and strengthening the security of their network in a smart, simple, scalable way.

If you are interested in learning more about the Threater platform and how we can help you maximize the value of threat intelligence investments visit our Threat Intelligence Platform Page.

If you are interested in seeing our platform in action and learning more about how we integrate with leading threat intelligence platforms like ThreatQuotient join us for a demo and/or contact us at