Finding the best threat intelligence provider for a specific purpose: Trials and Tribulations
DCSO operate a worldwide setup of network security sensors based on Suricata that detect threats ranging from commodity malware to APT. Detection is based on a combination of in-house, commercial and OSINT capabilities. This talk will focus on a question that occupied us for much of 2018: How can we improve our detection of APT threats specifically? Which then led us to ask: What commercial products are available to support us in our efforts? We decided to take a data-driven approach to answer these questions by developing a framework to compare threat intelligence providers with one another. Perhaps unsurprisingly, developing a common language to compare different threat intelligence providers was far from trivial. While we did eventually identify a couple providers to suit our needs, we would like to take the time to walk you through some of the (many!) challenges we encountered along the way.