Maximizing Effectiveness of Threat Intelligence Programs with King & Union
K&U logo- white green

Maximizing Effectiveness of Threat Intelligence Programs with King & Union

Date: July 2020 Author: Jon Oltsik, Senior Principal Analyst and ESG Fellow


Many organizations rely on point tools and manual processes for threat intelligence analysis and operationalization, but this has become an exercise in futility. Rather than continue to fail, threat analysts need a common workspace for threat intelligence collection, enrichment, investigations, and integration. Furthermore, they need a just-in-time approach to threat intelligence data to access what they need, when they need it. King & Union offers a combination of tools, expertise, and partnerships to address requirements like this across the threat intelligence investigations lifecycle.


According to ESG research, 63% of cybersecurity professionals believe that security analytics and operations (including threat intelligence analysis and investigations) is more difficult today than two years ago. This is true for several reasons, including (see Figure 1):1

  • A rapidly changing threat landscape. Cyber-adversaries continue to launch creative and sophisticated attacks of all kinds, such as business email compromises, ransomware, and APTs. This perpetual onslaught is making work increasingly difficult for threat analysts who don’t have the right tools for threat intelligence collection, processing, analysis, and investigations.
  • Growing amounts of security telemetry. On the defender side, organizations collect, process, and analyze growing volumes of security telemetry including log data, network metadata, and all types of open source and commercial threat feeds. Organizations have focused on data quantity, not quality, making the process of analyzing and operationalizing threat intelligence overwhelming.
  • The volume of security alerts. Security tools regularly deliver alerts, but security teams don’t have the bandwidth or the right tools to prioritize or enrich security alerts with threat intelligence telemetry, or to investigate critical security incidents.

Existing challenges like these are exacerbated by the global cybersecurity skills shortage. According to new research from ESG and the Information Systems Security Association (ISSA), 70% of organizations say they are impacted by the global cybersecurity skills shortage. Of all security positions, there is an especially acute shortage of threat intelligence analysts.2

What’s Needed?

Organizations must rethink the way they procure and operationalize cybersecurity toolsets and threat intelligence, as one of the biggest deficits is in their ability to manage, analyze, and make threat intelligence actionable. This shortcoming is especially troubling due to the sophistication of cyber-threats. Furthermore, the cyber-threat volume has increased significantly in 2020 as hacktivists, cybercriminals, and nation states exploit societal chaos related to the global pandemic. To address this, organizations need:

  • The right threat intelligence at the right time. Over the past few years, enterprise organizations have increased threat intelligence budgets, purchasing a multitude of commercial threat feeds. The irony here is that many organizations now claim they are buried with threat intelligence, making timely investigations even more cumbersome than in the past. Rather than buying one of everything, organizations should have a just-in-time approach to cyber threat intelligence (CTI) feeds, accessing what they need, when they need it. In this way, CTI can be more closely aligned with threat analysis and investigations, leading to improved efficiency and ROI, while providing greater value and visibility in how organizations are consuming and using threat intelligence data.
  • CTI operationalization. Organizations consume CTI to help them block threats proactively, but this process is often hamstrung by manual processes and CTI volume. To overcome this bottleneck, CISOs need the right tools that can help them operationalize threat intelligence and automate remediation processes. This requires direct integration between the threat intelligence analysis workbench, security controls, and security orchestration, automation, and response (SOAR) systems. In this use case, the threat intelligence workbench can use a scoring system to assign a risk score to the specific IoCs used by threat actors. Risk scores exceeding a certain threshold (such as a risk score of 70 on a scale of 0 to 100) would then trigger a SOAR runbook or integrate directly into security controls (such as firewalls, network proxies, and endpoint security tools) to automatically block connections.
  • A CTI investigations workbench. Even with effective CTI operations, there are always complex use cases that demand manual threat hunting and investigations conducted by experienced analysts. Threat analysts tend to use an assortment of commercial and open source tools, making it difficult to accelerate or scale threat intelligence analysis. Rather than glue tools together, threat analysts need a flexible platform for more complex manual investigations. This type of threat intelligence workbench should provide the right interfaces and functionality to help analysts map investigations, open investigations for collaboration, track progress/tasks, and share CTI with approved partners and third parties.

CISOs should also perform an honest assessment of their threat intelligence analyst staff. In truth, CTI analysis demands strong knowledge and expertise. Organizations lacking in these areas should seek managed and professional services to help in this critical area.

Enter King & Union

CISOs need to find ways to move beyond silos of threat intelligence analysis, opting instead for an integrated threat analysis platform. And threat intelligence shouldn’t have to be a volume purchase. Rather, organizations should consume the right threat intelligence when they need it.
ESG recently met with King & Union, a cyber analysis platform and threat intelligence analysis vendor. King & Union may be able to help organizations in both areas, offering:

  • An integrated platform for threat analysis. King & Union’s Avalon is designed as a workspace to span the lifecycle of threat investigations: from threat intelligence data ingestion and enrichment, through analysis, visualization, and collaboration. Aside from analysis, Avalon is built around REST APIs for integration with security controls, SIEM, or SOAR systems. This helps organizations operationalize threat intelligence to safeguard their networks in real time. Avalon also provides a wide range of reporting capabilities and acts as a central repository to preserve investigations as a resource to build upon for future investigative needs.
  • Just-in-time access to the right threat intelligence. Recently, King & Union introduced a new way for organizations to purchase and consume threat intelligence data on a fractional basis. The Avalon Marketplace offers a menu of threat intelligence feeds focused in areas like passive DNS, deep/dark web activity, and phishing trends. Avalon customers can “tokenize” fractional data sets within the Marketplace via partners’ feeds, integrations, and enrichment sources, allowing customers of all sizes access to threat intelligence data and on-demand investigations. These slices of threat intelligence can then be applied to use cases like search queries, threat hunting, forensic investigations, and incident response. Avalon Marketplace also meters usage, allowing threat intelligence teams to see what they used, when they used it, and who used it. In this way, they can gauge which threat intelligence (and analysts) helped them improve security while cutting costs on expensive disparate threat intelligence feeds. Aside from SOC analysts, this can also help CISOs measure and justify threat intelligence spending requirements.

King & Union can help organizations that simply don’t have the staff or enterprise budgets for CTI analysis and operationalization as well with its Culper Group threat intelligence analysts services. The company offers a variety of threat intelligence and analysts services delivered both through traditional engagements and on an on-demand basis through the Avalon Marketplace. Customers can also tap into their collaboration community made up of threat intelligence experts among the company’s customers and partners. This wide range of options can help organizations augment staff and bolster CTI expertise and intelligence sharing.

The Bigger Truth

Threat intelligence analysis and operationalization is a specific skillset, requiring specialized resources, toolsets, and data sets. King & Union understands this and has designed its technologies and services with threat intelligence analysts’ requirements in mind. CISOs seeking to professionalize their organization’s threat intelligence programs should contact King & Union and judge for themselves how its products and services align with their objectives and strategy.