ART-TI Key Metrics

Evaluating Threat Intelligence Feeds: Key Metrics

When selecting a threat feed provider, it’s crucial to assess how effectively their feed will integrate with your threat detection and response strategy. Below are key metrics to consider:

MetricDescriptionValue
False Positives (FPs) Triggered Over the PeriodMeasures the number of incorrect alerts generated by the feed. A lower number indicates less noise and a reduced operational burden.The lower, the better
True Positives (TPs) Triggered Over the PeriodIndicates the number of correct alerts that correspond to real threats. A higher number signifies greater effectiveness in detecting genuine threats.The higher, the better
FP/TP RatioThis ratio compares the number of false positives to true positives, reflecting the feed’s efficiency. A lower ratio shows fewer false positives relative to true positives. Track this over time for trends.The lower, the better
How Many TP Incidents You Would Miss Without the FeedShows how critical the feed is by indicating the number of true positive incidents that would go undetected without it. High values suggest the feed’s importance in your threat detection strategy.High values indicate a high necessity for the feed
How Many TP Incidents Would Be Detected but LaterReflects the delay in detecting threats when using the feed. Useful for evaluating how timely the feed is and planning incident response.Aim for shorter detection delays
How Many TP Incidents Would Be Detected Regardless of Having the FeedMeasures the overlap with other feeds or detection methods. A lower number indicates less redundancy and a greater need for this feed.Lower value indicates higher necessity of the feed
Table 1: Key Metrics for Evaluating a Threat Intelligence Provider

 

Why These Metrics Matter

False Positives (FPs): Minimising false positives reduces the time and resources spent on investigating non-threats, making your threat detection process more efficient.

True Positives (TPs): The primary goal of any threat feed is to detect actual threats. Higher true positives directly correlate with better protection against real cyber threats.

FP/TP Ratio: This helps you understand the balance between detecting true threats and managing false alerts. A better ratio means more accurate threat detection.

Missed TP Incidents: This metric highlights the critical role of the feed in your overall threat detection strategy. If many true positives are missed without the feed, it’s a strong indicator of its importance.

Delayed TP Incidents: Assessing the delay in detection helps in refining your response strategies and improving overall incident management.

Overlap with Other Feeds: Understanding how many incidents would be detected without the feed helps in evaluating the feed’s unique contribution to your security posture and its cost-effectiveness.

By considering these metrics, you can make a more informed decision when evaluating threat feed providers, ensuring that you choose one that best fits your organisation’s security needs and enhances your overall threat detection capabilities.