Join us at the Rocky Mountain Hackfest, Live Online!! Virtual summit and courses take place June 4-13.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right.Once you register, you can download the presentaion slides below.

Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing

  • Tuesday, January 19, 2016 at 3:00 PM EST (2016-01-19 20:00:00 UTC)
  • Alex Pinto

You can now attend the webcast using your mobile device!



For the last 18 months, MLSec Project and Niddel collected threat intelligence indicator data from multiple sources in order to make sense of the ecosystem and try to find a measure of efficiency or quality in these feeds. This initiative culminated in the creation of Combine and TIQ-test, two of the open source projects from MLSec Project. These projects have been improved upon for the last year, and are able to gather and compare data from multiple Threat Intelligence sources on the Internet. This research culminated on a talk on SANS CTI Summit 2015 and a contribution to the Verizon DBIR on the same year.

On this talk, we have gathered aggregated usage information from intelligence sharing communities in order to determine if the added interest and "push" towards sharing is really being followed by the companies and if its adoption is putting us in the right track to close these gaps. We propose a new set of metrics on the same vein as TIQ-test to help you understand what does a "healthy" threat intelligence sharing community looks like.

To better illustrate the points and metrics, we will be conducting part of this analysis using usage data from some high-profile threat intelligence platforms and sharing communities, that have been kind enough to contribute with usage data for this research.

Join us in an data-driven analysis of threat intelligence sharing communities and their impact on operational usage of indicators!

Learn more about data-driven threat intelligence at the upcoming CTI Summit in Alexandria, VA February 3-4, 2016.

The fourth annual Cyber Threat Intelligence Summit brings experienced intelligence practitioners together - onstage and off - to feature contemporary theories, research, and tradecraft divided along tactical, operational, and strategic levels. By adopting this format change, with exciting keynotes to usher in each of the three sections, we hope to better frame the summit content so participants can immediately see where in their organizations each of the tools, methodologies, and processes can be applied as soon as they are back in the office.

  • Decrease your adversary's likelihood of success with each subsequent attempt.
  • Ensure your security programs are up-to-date to outsmart sophisticated attacks.
  • Obtain accurate and timely information to monitor new and evolving attacks.
  • Utilize this information to detect and ultimately avoid a security breach.

Speaker Bio

Alex Pinto

Alex Pinto is the Chief Data Scientist of Niddel and the lead of MLSec Project. He is currently dedicating his waking hours to the development of machine learning algorithms and data science techniques to support the information security monitoring practice. So far, he has presented the results of his research at multiple conferences, such as Black Hat USA, DEFCON, BSidesLV, BayThreat and ISC2 Security Congress. He has almost 15 years dedicated to all-things information security, and 3 years in Data Science related work. If you are into certifications, Alex is currently a CISSP-ISSAP, CISA, CISM, and PMP. He was also a PCI-QSA for almost 7 years, but is almost fully recovered from that.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.