Evaluating Threat Intelligence Feeds: Key Metrics
Aug 26, 2024
When selecting a threat feed provider, it’s crucial to assess how effectively their feed will integrate with your threat detection and response strategy. Below are key metrics to consider:
| Metric | Description | Value |
| False Positives (FPs) Triggered Over the Period | Measures the number of incorrect alerts generated by the feed. A lower number indicates less noise and a reduced operational burden. | The lower, the better |
| True Positives (TPs) Triggered Over the Period | Indicates the number of correct alerts that correspond to real threats. A higher number signifies greater effectiveness in detecting genuine threats. | The higher, the better |
| FP/TP Ratio | This ratio compares the number of false positives to true positives, reflecting the feed’s efficiency. A lower ratio shows fewer false positives relative to true positives. Track this over time for trends. | The lower, the better |
| How Many TP Incidents You Would Miss Without the Feed | Shows how critical the feed is by indicating the number of true positive incidents that would go undetected without it. High values suggest the feed’s importance in your threat detection strategy. | High values indicate a high necessity for the feed |
| How Many TP Incidents Would Be Detected but Later | Reflects the delay in detecting threats when using the feed. Useful for evaluating how timely the feed is and planning incident response. | Aim for shorter detection delays |
| How Many TP Incidents Would Be Detected Regardless of Having the Feed | Measures the overlap with other feeds or detection methods. A lower number indicates less redundancy and a greater need for this feed. | Lower value indicates higher necessity of the feed |
Why These Metrics Matter
False Positives (FPs): Minimising false positives reduces the time and resources spent on investigating non-threats, making your threat detection process more efficient.
True Positives (TPs): The primary goal of any threat feed is to detect actual threats. Higher true positives directly correlate with better protection against real cyber threats.
FP/TP Ratio: This helps you understand the balance between detecting true threats and managing false alerts. A better ratio means more accurate threat detection.
Missed TP Incidents: This metric highlights the critical role of the feed in your overall threat detection strategy. If many true positives are missed without the feed, it’s a strong indicator of its importance.
Delayed TP Incidents: Assessing the delay in detection helps in refining your response strategies and improving overall incident management.
Overlap with Other Feeds: Understanding how many incidents would be detected without the feed helps in evaluating the feed’s unique contribution to your security posture and its cost-effectiveness.
By considering these metrics, you can make a more informed decision when evaluating threat feed providers, ensuring that you choose one that best fits your organisation’s security needs and enhances your overall threat detection capabilities.