Webinar: What's New in Graylog 6.0? | Watch On-Demand >> ​

Improving the Signal-to-Noise Ratio in Threat Detection

Companies are generating massive amounts of data every minute. It’s impossible, unrealistic, and cost-prohibitive for analysts to spot every threat. That’s why even though breaches are in decline year over year, the first quarter of 2018 saw 686 breaches that exposed 1.4 billion records through hacking, skimming, inadvertent Internet disclosure, phishing, and malware.

To avoid becoming a statistic, improve your threat intelligence signal-to-noise ratio to help ensure real threats get the right attention. Take a look at these 5 steps to improve your threat detection response time.


Effective threat intelligence requires a strategy. Moving forward without one automatically puts you in a reactive posture instead of a proactive posture. Your strategy helps guide other decisions, like choosing optimal threat intelligence sources, making choices and decisions more straightforward for you and your team.

How do you identify a solid strategy? Experts suggest the best strategies not only safeguard data from attack but also protect it if an attack occurs. Those protections could include concealing how you’re conducting threat intelligence to keep bad actors in the dark about your troubleshooting activity. Or obfuscating your network architecture and operations to eliminate context and meaning, making attacks more difficult (and your organization a less desirable target).


Once you’ve defined your strategy, select threat intelligence sources to help you meet your objectives. What sources will bring you closer to what you’re trying to accomplish?

When it comes to choosing your sources, there are generally 3 types of intelligence:

  • Free/Open Source Feeds. These feeds source data from the same places and report on the same indicators of compromise. Pros are that they provide a large swath of data. Cons are that data duplication and/or overlap will need to be managed for the intelligence to be more useful than redundant.
  • Purchased Feeds. Purchased feeds are paid feeds with specific areas of focus. Pros are that the data quality is high. Cons are that the focus of each feed is narrow and will likely require you to select multiple feeds for better context.
  • Threat Intelligence Platforms. Typically, providers of these platforms offer feeds of original research and often curate open source/free feeds along with analytics tools or dev-friendly APIs designed to simplify feed integration. Pros are that they provide a valuable stepping stone for organizations growing into threat intelligence. Cons are that they are pricier than individual threat intelligence feeds.


Once you’ve selected your intelligence sources, adding centralized log management to your SIEM tool actually helps your SIEM solution do its job better. That’s because multiple logs generate too much data to realistically review and analyze.

Instead, centralized log management helps you undertake a threat investigation wit data, and do a deeper analysis of threat origin and path. This more thorough investigation informs remediation tactics and fortifies your network against future threats, connecting directly back to your threat intelligence strategy.

Best of all, centralized logging makes it possible to add your selected threat feeds to your log management system through a single integration.


Integrating threat intelligence feeds lets you create rules that compare indicators of compromise against your log data. To do this:

  1. Identify the types of indicators available in the feed
  2. Examine logs from your security devices
  3. Determine which log fields contain information that can be compared against your indicators
  4. Establish rules for your SIEM to use for comparing and alerting analysts to matches
  5. Set up real-time notifications for analysts when a match is identified

This process ensures threats are recognized and can be reviewed in real-time (or as close as possible), reducing time to action or remediation.


Most threat intelligence solutions already automate repetitive tasks like data collection and processing. The next step is to automatically block the highest threat matches identified by these tasks. This action results in fewer manual processes for analysts so they can focus on higher value tasks.

You might be saying, “Sure, but what about stakeholders who are concerned about blocking legitimate traffic?” We hear you. There are specific ways to set up your automated blocking to help mitigate those concerns—check out an upcoming post about selling stakeholders on automated threat response for details.


Developing a more responsive and effective threat detection and remediation system doesn’t have to be complicated. Create an intelligence strategy to inform your decisions, then choose intelligence sources that help you meet your strategic objectives. Centralize your log management to make feed integration faster and easier, generating more context around a potential threat. Then integrate your threat feeds according to your indicators of compromise so you can automate blocking of highest threat matches to save analysts time. This process ensures threat signals can be heard more clearly over data noise, improving response time and helping keep bad actors at bay.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.