Skip to main content
All Posts
Cyber Threat Intelligence
SIEM
Threat Intelligence Platform
1
min read

Building a Threat Intelligence Environment

Threat intelligence (TI) is more than just collecting data feeds and supercharging your SIEM. You'll need to understand what TI is and isn't to gain value.
Travis Farral
Published on
July 5, 2018
Table of Contents

On June 27, I had the pleasure of participating in an SC Media webcast on building a threat intelligence environment. The host, Stephen Lawton, posed some good questions about challenges and misconceptions around building a threat intelligence program inside an organization.

Since threat intelligence first became a new buzzword in information security some years back, many companies have espoused features friendly to this seemingly new technology. Unfortunately, threat intelligence was not a concept easily understood by typical IT security types. Early players in the threat intelligence space didn’t help the spread of misconceptions by implying that a list of IP addresses or domains was in itself, intelligence. Fortunately, the industry has mostly matured beyond this but some of these misconceptions still persist.

In order to truly get value from threat intelligence, it’s important to start out on the right foot. Understanding what threat intelligence is and isn’t is a fundamental component of knowing how it can benefit an organization. Threat intelligence is not a list of anything. It’s not IP addresses or domains or hashes or URLs. These are just information. Granted, intelligence can be derived from lists, but the lists and the objects in the lists themselves are not intelligence. Intelligence is taking available data (perhaps from lists) and extracting meaning from that data for the purpose of providing insight into decision-making. Threat intelligence is performing this process around threats, either real or perceived.

As I discussed with Stephen in the webinar, since an organization is going to be concerned with threats to itself, it makes sense then that any threat intelligence program should start with internally available data that can support intelligence analysis. Mostly this should be attacks observed by that organization. Information from the SOC and incident response efforts are the perfect place to start.

We went on to cover a lot of important ground on how to build a threat intelligence environment. My hope is that it helps those looking to start or expend threat intelligence efforts in their organizations and maybe dispel some common myths along the way.

A recording of the webcast is available here. Slides from our discussion are available upon request.

FEATURED RESOURCES

February 17, 2026
Anomali Cyber Watch

Anomali Cyber Watch: Zero-Click Affects Claude, SolarWinds Vulnerabilities for Velociraptor and more

Zero-Click Remote Code Execution Flaw Affects Claude Desktop Extensions. Threat Actors Exploit SolarWinds Web Help Desk Vulnerabilities to Deploy Velociraptor. Fake 7-Zip Site Distributes Trojanized Installer Converting Systems to Proxy Nodes. ZeroDayRAT Commercial Mobile Spyware Targets Android and iOS. And more..
Read More
February 10, 2026
Anomali Cyber Watch

Anomali Cyber Watch: Notepad++ Attack, RAT Uses Hugging Face, Microsoft Office Flaw and more

Notepad++ Supply Chain Attack Delivers Chrysalis Backdoor. Android RAT Uses Hugging Face Platform to Host Malicious Payloads. Fancy Bear Exploits Microsoft Office Flaw in Ukraine. Nitrogen Ransomware Decryptor Fails Due to Coding Error. And more...
Read More
February 16, 2026
IT Operations
Security Operations

Data Hygiene for AI Security: Stop Ingesting Everything, Start Engineering Signal

Read More
Explore All