Skip to main content
All Posts
Cyber Threat Intelligence
SIEM
Threat Intelligence Platform
1
min read

Building a Threat Intelligence Environment

Threat intelligence (TI) is more than just collecting data feeds and supercharging your SIEM. You'll need to understand what TI is and isn't to gain value.
Travis Farral
Published on
July 5, 2018
Table of Contents

On June 27, I had the pleasure of participating in an SC Media webcast on building a threat intelligence environment. The host, Stephen Lawton, posed some good questions about challenges and misconceptions around building a threat intelligence program inside an organization.

Since threat intelligence first became a new buzzword in information security some years back, many companies have espoused features friendly to this seemingly new technology. Unfortunately, threat intelligence was not a concept easily understood by typical IT security types. Early players in the threat intelligence space didn’t help the spread of misconceptions by implying that a list of IP addresses or domains was in itself, intelligence. Fortunately, the industry has mostly matured beyond this but some of these misconceptions still persist.

In order to truly get value from threat intelligence, it’s important to start out on the right foot. Understanding what threat intelligence is and isn’t is a fundamental component of knowing how it can benefit an organization. Threat intelligence is not a list of anything. It’s not IP addresses or domains or hashes or URLs. These are just information. Granted, intelligence can be derived from lists, but the lists and the objects in the lists themselves are not intelligence. Intelligence is taking available data (perhaps from lists) and extracting meaning from that data for the purpose of providing insight into decision-making. Threat intelligence is performing this process around threats, either real or perceived.

As I discussed with Stephen in the webinar, since an organization is going to be concerned with threats to itself, it makes sense then that any threat intelligence program should start with internally available data that can support intelligence analysis. Mostly this should be attacks observed by that organization. Information from the SOC and incident response efforts are the perfect place to start.

We went on to cover a lot of important ground on how to build a threat intelligence environment. My hope is that it helps those looking to start or expend threat intelligence efforts in their organizations and maybe dispel some common myths along the way.

A recording of the webcast is available here. Slides from our discussion are available upon request.

FEATURED RESOURCES

December 23, 2025
Anomali Cyber Watch

Anomali Cyber Watch: SantaStealer Threat, Christmas Scams of 2025, React2Shell Exploit, Phishing via ISO, and more

SantaStealer Infostealer Threat Gains Traction in Underground Forums. From Fake Deals to Phishing: The Most Effective Christmas Scams of 2025. React2Shell Exploitation Expands With New Payloads and Broader Targeting. Russian Phishing Campaign Delivers Phantom Stealer via ISO Attachments. And More...
Read More
December 16, 2025
Anomali Cyber Watch

Anomali Cyber Watch: GhostPenguin, SharePoint Exploits, Android Spyware, CastleLoader Malware Expansion, and more

Read More
November 26, 2025
ThreatStream

Improve Email Threat Protection with Abusix Guardian Intel: Now Available in ThreatStream

Abusix Guardian Intel is now available to trial and activate in the ThreatStream APP Store, enabling security teams to correlate Guardian Intel with other intelligence sources in ThreatStream.
Read More
Explore All