In the ever-shifting domain of cybersecurity, new threats and vulnerabilities emerge incessantly. For security analysts, the pivotal strategy to stay ahead is through meticulous analysis of these threats. However, the challenge lies in efficiently parsing and extracting actionable insights from the deluge of data sourced from myriad channels.
Traditional cybersecurity tools like antivirus software, firewalls, and gateways typically incorporate proprietary threat feeds. Yet, a notable gap often exists between the identification of a threat indicator (such as a malware signature or a malicious URL) and its integration into the official vendor threat feed. Here, Threat Intelligence Platforms (TIPs) play a crucial role, supplementing these official feeds with diverse threat data to expedite response times.
While both Threat Intelligence solutions and Security Information and Event Management (SIEM) tools are geared towards aiding security teams in log event analysis, their focal points differ. SIEM tools are primarily concerned with consolidating, prioritizing, and storing internal event logs. In contrast, Threat Intelligence feeds concentrate on external alerts and may not retain data for subsequent investigations.
Key Considerations for Procuring Threat Intelligence Platforms
When deliberating the acquisition of a TIP, organizations must weigh both the breadth and depth of features. A proficient TIP should ideally encompass at least four of the following capabilities:
- Connection to External Threat Intelligence Feeds: These feeds should be current and comprehensive, covering aspects like malware, threat actors, and vulnerabilities, and include data such as malicious IP addresses, domains, and file hashes.
- Integration with Internal Systems: This includes systems like Endpoint Detection and Response (EDR) tools, firewalls, and network monitoring tools, enabling tracking of internal malicious or anomalous activities.
- Correlation of Feed Data: Effective matching of internal alerts with externally identified indicators of compromise is crucial.
- Facilitation of Rapid Assessments: This involves prioritized risk assessments, alerts, analysis tools, and intelligent data visualization.
- Enhancement of Other Security Tools: Integration with tools like Next-Generation Firewalls (NGFW), secure gateways, or Intrusion Detection and Prevention Systems (IDPS) that utilize threat feed information to detect and thwart malicious activities.
This amalgamation of functionalities renders TIPs indispensable in combating zero-day threats, saving invaluable time for security teams to identify and resolve issues. While some teams may conduct analyses directly within a TIP, others might channel TIP data into other security apparatuses like SIEMs, Security Operations Centers (SOCs), Managed Detection and Response (MDR) teams, or Managed IT Security Service Providers (MSSPs).
The Evolution and Significance of Threat Intelligence Solutions
As cyber threats have intensified, so has the evolution of threat intelligence solutions. Organizations typically progress through a sequence of tool adoption:
- Threat Intelligence Feeds: Initially focusing on gathering information on various threats including malicious sites, actors, malware, and trends.
- Threat Intelligence Platforms (TIPs): As needs advance, TIPs incorporate features to integrate internal feeds, rank threats, and provide contextual understanding of threats and indicators of compromise.
- Security Operations Automation and Response (SOAR): These tools add capabilities for direct threat response through automation, connections, and workflows.
- Extended Detection and Response (XDR): XDR tools further enhance capabilities with network and endpoint monitoring and response features.
Market Dynamics: The Shifting Terrain of Threat Intelligence
Threat intelligence remains a critical need, yet the landscape is shifting. TIPs, akin to User Behavior Analytics (UEBA), may transition from being distinct tool categories to features within more complex SOAR and XDR tools. This trend is exemplified by several tools that have evolved beyond their original scope:
- Palo Alto Networks: Transitioned to a suite of tools encompassing threat feeds (Autofocus) and SOAR (Cortex XSoar).
- LogRhythm Threat LifeCycle: Evolved into a SOAR tool.
- FireEye iSight and Mandiant Threat Intelligence: Transitioned into SOAR and XDR products under new corporate structures.
- RSA NetWitness Platform and AT&T Cybersecurity: Shifted towards XDR functionalities.
- CenturyLink Adaptive Threat Intelligence: Became part of Lumen’s Analytics and Threat Management, aligning with SOAR or XDR tools.
While threat intelligence feeds and management remain core functions, the integration of additional features has led these products to compete in different market categories.
Threat Intelligence Platforms
In the dynamic world of cybersecurity, Threat Intelligence Platforms (TIPs) have become crucial for organizations to preemptively identify and mitigate cyber threats. This blog post delves into the features, advantages, and considerations of some of the top TIPs in the market.
- Anomali ThreatStream
- Key Features:
- Aggregates millions of threat indicators.
- Offers over 100 open-source feeds and additional commercial feeds.
- Utilizes machine learning for threat intelligence scoring.
- Automated data collection from diverse sources.
- Data cleansing and normalization.
- Integration with various security tools.
- Brand monitoring and phishing response capabilities.
- Pros:
- Flexible deployment options.
- Visual link analysis and integrated sandbox.
- Cons:
- Some transparency issues in scoring.
- High system requirements for on-premises installations.
- Pricing: Not publicly disclosed; estimated at $150,000 for a 12-month subscription for 3,500 employees on AWS Marketplace.
- Key Features:
- IBM X-Force Exchange
- Key Features:
- Cloud-based collaborative platform.
- Human-generated intelligence combined with a global security feed.
- Monitors over 25 billion websites and millions of endpoints.
- Customizable dashboard and early warning feed.
- Pros:
- Scalable cloud-based solution.
- Extensive data visualization options.
- Cons:
- Limited self-service support.
- Slow UI loading times.
- Pricing: Offers various options, including a free non-commercial API.
- Key Features:
- IntSights Threat Intelligence Platform
- Key Features:
- Real-time threat prioritization.
- Dark web and deep web monitoring.
- Extensive database for visualizing attacks.
- Pros:
- Integrated remediation and threat takedowns.
- Easy to use with automated threat response.
- Cons:
- Limited customization options.
- Resource-intensive agent.
- Pricing: Not publicly disclosed; contact IntSights for details.
- Key Features:
- LookingGlass Cyber Solutions
- Key Features:
- Dynamic Internet Footprinting.
- Proprietary Threat Indicator Confidence scoring.
- Aggregates data from over 87 feeds.
- Pros:
- Reduces alert fatigue.
- Consolidates information for easy analysis.
- Cons:
- Affiliation concerns for international organizations.
- Non-transparent pricing.
- Pricing: License terms not disclosed; contact LookingGlass for information.
- Key Features:
- Recorded Future
- Key Features:
- Comprehensive data sets for threat analysis.
- Monitors identity and attack surface.
- Investigates dark and deep web sources.
- Pros:
- Flexible deployment and natural language searches.
- Risk scores based on actual malicious activity.
- Cons:
- High volume of initial alerts.
- Multiple licenses required for full functionality.
- Pricing: Modular pricing; ranges between $10,000 and $50,000 on AWS Marketplace.
- Key Features:
- SolarWinds Security Event Manager (SEM)
- Key Features:
- Combines event tracking with a threat intelligence feed.
- Centralized management and automated threat response.
- Pros:
- Affordable pricing for smaller budgets.
- Effective integration with other SolarWinds tools.
- Cons:
- Limited threat feed.
- Manual updates required.
- Pricing: Starts at $2,877 per year; tiered pricing available.
- Key Features:
- ThreatConnect
- Key Features:
- Low-code automation for security reactions.
- Consolidation of data feeds and crowdsourced analytics.
- Pros:
- Reduces manual tasks and accelerates threat hunting.
- Wide range of technology partner integrations.
- Cons:
- Geared towards enterprise customers with corresponding pricing.
- Pricing: Not publicly disclosed; contact ThreatConnect for details.
- Key Features:
Each of these platforms offers unique strengths and capabilities, catering to different organizational needs and security environments. From Anomali’s extensive threat aggregation to IBM’s global security feed, and from IntSights’ real-time prioritization to SolarWinds’ budget-friendly solutions, these TIPs provide a comprehensive range of options for enhancing cybersecurity measures. It’s crucial for organizations to assess their specific requirements and choose a platform that aligns with their security strategy and budget constraints.
The market for Threat Intelligence Platforms (TIPs) is rapidly evolving, with continuous advancements and competitive dynamics shaping the landscape. While our current list highlights the top tools in the market, emerging features and new entrants could lead to changes in this lineup. In addition to the leading platforms, several other vendors offer noteworthy solutions:
- Imperva ThreatRadar: Specializing in applications and web application firewalls, this platform integrates Imperva’s own research with intelligence from various partners and crowdsourced data. However, it’s not designed for traditional IT infrastructure.
- MISP Project: An open-source platform for sharing threat intelligence, MISP is cost-effective but requires caution to avoid inadvertently sharing proprietary information.
- Proofpoint Emerging Threat Intelligence: This service provides intelligence feeds that help identify suspicious activities, integrating with other tools to contextualize threats in relation to brand and organizational assets.
- Threat Intelligence Platform: Offering APIs for integrating threat feeds into various tools and applications, this platform uses a consumption-based pricing model.
- SonicWall Capture Cloud Platform: A cloud-based solution that aggregates, normalizes, and contextualizes security data across the SonicWall ecosystem, providing real-time threat intelligence and indicators of compromise.
Additionally, certain high-quality TIPs are most beneficial for customers already using related products from the same company, as they may not integrate well with tools from other vendors. These include:
- Accenture iDefense: Offers security intelligence through the IntelGraph platform, exclusively for Accenture customers.
- Check Point ThreatCloud: Integrates threat prevention and analysis within the Check Point ecosystem.
- Cisco Threat Intelligence Director (TID): Automates threat intelligence operationalization for Cisco-managed firewalls.
- Crowdstrike Falcon X: Provides threat analysis features, primarily beneficial for existing Crowdstrike customers.
- Kaspersky’s Threat Intelligence Portal: Offers threat analysis tools and feeds, best suited for those using Kaspersky’s endpoint protection.
- Symantec DeepSight Intelligence: Leverages the Symantec Global Intelligence Network to provide threat visibility, mainly for current Symantec customers.
While not every organization directly benefits from threat intelligence feeds and solutions, they play a crucial role in enhancing the security stack. Smaller organizations might rely on proprietary threat feeds embedded in their existing products or provided by service providers. As organizations grow and their security needs become more complex, they increasingly require solutions that contextualize log activity and rapidly update threat feeds. TIPs don’t replace existing tools but rather complement them by accelerating threat information delivery, thereby enhancing tool performance and the capabilities of security analysts and incident response teams.