Over on his Gartner blog Dr Anton Chuvakin started the list of measures / criteria that could be useful for organisations looking to replace or augment their existing internal threat intelligence capability with external feeds.
A few criteria I can think of that might also be useful:
- The level of overlap in the TI feed with other freely available sources: you’re paying for the TI feed - the last thing you want its paying for something that is available freely elsewhere. Worse, once such info is made public the bad guys usually change what they can.
- The currency of the information in the TI feed: old IOCs are useful as a historical data, not intel; if the TI feed is 90% old data how much extra value will you be getting and how much of it is just them padding the feed, taking up your resources.
- How many sensors does the TI provider operate, and their geographical & AS distribution: striking a balance between getting as much data as possible and getting as targeted data as possible is a hard thing to do, but at least you can get some idea from this.
- Quantity of customers the TI has, and their makeup (large enterprises v public orgs v SMEs). The more customers from all walks of life the higher the chance that the TI feed is going to have information that is of short lifespan; the fewer the customers (unless they’re large and paying a premium) the higher the likelihood that the TI feed is going to be targeted to them.