Threat information is delivered to organizations in varying ways - Email, PDF, APIs, JSON, STIX/TAXII, etc. End users then process the data, in many cases manually, to determine the relevance to the organization. The relevance and timeliness helps an organization make a decision about whether they need to address the threat and take action.
This action phase results in creating new rules in the firewall, SNORT rules in the IDS, updates to the proxy server, and new rules in SIEM. Performing this action throughout the day, evening, weekend - whenever the latest information is delivered.
Manually processing the data, understanding the reports, and creating the types of rules for the existing security devices is a time consuming effort. In large organizations there are often dedicated teams who operate the various security tools; however, in smaller organizations it is often just a few people who have that responsibility. It is no wonder the largest complaint about threat intelligence is the inability to keep up and take action on the data.
Challenges with this approach: