Staying in front of security threats is an increasingly difficult proposition. Despite a mind-boggling array of sophisticated tools, solutions and systems, the risks continue to grow.
That’s where threat intelligence enters the picture. It attempts to step beyond traditional antivirus and other malware protection and offer insights and protection proactively. As zero-day attacks and polymorphic malware flourish, these systems aim to ratchet up detection and protection, typically through data analytics and machine learning.
Threat intelligence platforms (TIPs) aggregate, ingest and organize data from a number of sources — including internal logs and external feeds — to spot risks early. They uses APIs, bots and other methods to examine data, such as IP addresses, website content, server names and characteristics and SSL certificates. Many platforms also rely on anonymous open source data sharing.
By examining patterns and various events and enriching the data, a TIP can spot unusual and threatening behaviors, tactics, techniques and procedures that can lead to an intrusion, data breach, ransomware or other cybersecurity problem. Many link to security information and event management (SIEM) solutions, endpoints, firewalls, APIs, intrusion prevention systems (IPSs) and other security components. Many of the leading platforms also rely on human analysts to dig deeper.
As staff working in security operations centers (SOCs) attempt to gain the upper hand on security risks, bad actors and emerging attack vectors, many are tapping threat intelligence frameworks. The value of a TIP is that it helps teams prioritize risks and threats and automated security responses. Emergen Research reports that the global threat intelligence market will reach $20.28 billion by 2028. What’s more, many platforms are turning to AI and machine learning to improve real-time threat intelligence.
Yet, all threat intelligence platforms aren’t created equal. It’s critical to understand what exactly a platform offers, how it works, what it costs and what the vendor’s roadmap is for the future. With millions of threat indicators appearing daily — and many of them increasingly sophisticated — organizations are recognizing that quick assessment and response is a critical element in preventing economic and reputational damage.
How to Select the Right Threat Intelligence Platform
A number of factors are important when choosing a threat intelligence platform. Among them:
- What data does the platform include and what’s the source of this data? It’s important to know how and where the vendor is collecting data, including the original source, and how it processes data. This might include factors such as IP addresses and domain URLs, reputational scores, newly discovered security risks and known vulnerabilities.
- What format is the data? Vendors typically offer data feeds in CSV, XML, STIX, PDF and JSON. Some provide APIs to accommodate web services. In addition, it’s important to understand how the data is packaged — or how it can be adapted. This may include reports, summaries and alerts, along with customized feeds for customers.
- How does the vendor formulate reports and alerts? What methodologies does it use to combine and blend data feeds en route to developing advisories and alerts? Does it rely only on machine data or use trained analysts? What other ways does the vendor distinguish itself from its peers?
- How often does the vendor update the intelligence data? Ideally, data connections are real-time or constantly updated throughout a day.
- What’s the price for a subscription? Prices among vendors vary greatly, often based on the type of services an organization requires. Some TIP vendors offer tiered product offerings, including free or inexpensive basic versions. Typically, the cost for an organization is several thousand dollars per month.
- What’s included in the package? It’s important to know what resources the vendor has for learning how to use the platform and whether it offers any training. It’s also essential to know what services and support the vendor provides. Is there a 24/7 helpline? Is it live phone support or email support? If it’s the latter, how soon does the vendor respond?
10 top threat intelligence platforms
- AlienVault USM
- Anomali ThreatStream
- CrowdStrike Falcon
- FireEye Threat Intelligence
- IBM X-Force
- IntSights External Threat Protection Suite
- Kaspersky Threat Intelligence Services
- Mimecast Threat Intelligence
- Palo Alto Networks
- Recorded Future
See more: IBM Begins Cloud Confidentiality Push
The unified security management (URM) solution, part of AT&T, provides threat detection, incident response and compliance management capabilities. It collects and analyzes data from across attack surfaces, aggregates risks and threats — and continually updates threat information. The solution is designed to work within an ecosystem of AlienApps, which enables organizations to orchestrate and automate actions, based on events.
- Robust cloud support, including automated AWS and Azure discovery
- Offers pre-build templates along with highly customizable reports and dashboards
- Highly automated
- Offers forensic querying
- High customer ratings
- Can be difficult to configure and customize
- Some users say the interface can be challenging
- Some users complain about inadequate customer support
Anomali offers a robust platform for threat intelligence. It consolidates threat management and automates detection of risks with a set of tools that collect, manage, integrate, investigate and share data within an organization and from outside. The platform is available for on-premises and cloud-native deployments and includes support for virtual machines and air-gapping.
- Excellent user interface
- A mature platform with a deep and broad set of features
- Supports numerous data formats
- First-rate reporting capabilities
- High customer support ratings
- Some users complain about the lack of flexibility and an inability to adequately customize the platform
- Lacks some automated reporting features
- Inability to fully integrate with SIEM systems and freely move data between various systems
The company has established itself as a leader in the TIP space. It offers next-generation endpoint protection by combining antivirus (AV), endpoint detection and response (EDR) and a 24/7 managed hunting service via a lightweight agent that’s installed on devices. CrowdStrike’s services include advanced threat intelligence reporting and access to intelligence analysts that tailor intelligence and responses to organization’s specific needs and requirements.
- Large user base
- Delivers high quality intelligence information using both machine and human analysis
- Excellent and generally easy-to-use interface
- Highly rated customer service and support
- The lightweight agent doesn’t impact the performance and stability of systems
- It’s a tiered service that can be pricey
- Reporting functions aren’t as flexible as some users desire
- Log management can be complex and confusing
- Mac features lag behind Windows and Linux
FireEye Mandiant Threat Intelligence
The company has staked out a position as a pioneer and leader in the field. Its threat intelligence module is available as a software-as-services (SaaS) solution, and it combines both data analytics and human oversight to spot and thwart threats. FireEye includes a dashboard, machine intelligence functions and other tools to provide broad and deep real-time insights.
- Delivers high-quality threat intelligence information due to both machine and human collection and analysis capabilities
- Typically integrates well with other tools, such as SIEM
- Offers a free version with limited features
- Users give FireEye high ratings for customer support
- Can require a high level of technical knowledge to interpret reports and use the platform effectively
- Some users report that the platform generates too much technical data that’s not actionable
IBM X-Force Threat Intelligence Services
IBM offers an expansive platform for managing threat intelligence. At the center: the company’s blending of machine-readable real-time data and human oversight. IBM offers detailed intelligence reports on threat activity, malware, threat actor groups and industry assessments. Its enterprise intelligence management platform is designed to feed threat data to existing security systems within organizations.
- Provides a high-quality and up-to-date view of threats collected from a wide array of sources
- Forrester describes the “accuracy and specificity” of data as a core strength
- Generates low false-positive rates
- Some users complain that the interface could be more user friendly
- Can be complex and difficult to use effectively
- Intelligence information may be too general at times. Some users say the platform could provide more contextualized and precise information
IntSights External Threat Protection Suite
IntSights offers a threat intelligence platform that aggregates and enriches a diverse set of data sources. It includes a vulnerability risk analyzer and third party and dark web checker. The platform delivers information through a single dashboard, and it offers real-time context in order to prioritize risks and help organizations conduct investigations — and block threats.
- Offers a well-designed and easy-to-use interface
- Provides rich and varied data
- Highly rated customer sales and support
- Reporting features aren’t as flexible or robust as some users would like
- Sometimes delivers too much unneeded data along with dated threat intelligence information
- Limited information and insights into dark web activities and behaviors
Kaspersky Threat Intelligence Services
Although the company’s threat intelligence offering is only part of its overall focus on cybersecurity, the company is a leader in the threat intelligence space. It provides threat data feeds, threat lookups and digital footprint intelligence that can expose an organization’s weak spots.
- Provides high-quality threat data
- The company is aggressively focused on adding third party-integrations and adding support for new data sources
- Offers rich reporting capabilities
- Users complain that the solution can be complex and at times difficult to use
- Sometimes provides too much general or irrelevant data
- The user community reports high false-positive rates
- Lacks automation that other leading vendors provide in their TIP platforms
Mimecast Threat Intelligence
With a focus on email security, Mimecast examines numerous data sources to detect attacks. The subscription-based cloud security service is designed to protect email systems from various types of threats, ranging from viruses to ransomware. This includes URL protection that identifies, blocks and rewrites malicious links in email. The threat intelligence platform also helps prevent users from accessing dangerous sites or downloading malicious content.
- Highly scalable
- URL protection methods are highly effective in thwarting phishing and malware
- A security operations center continuously monitors and analyzes threats
- A focus on email security means that an organization will likely require other threat intelligence solutions
- Users complain that Mimecast provides minimal support for archived emails
Palo Alto Networks WildFire
Harnessing inline machine learning, bare metal analysis and dynamic and static analysis, WildFire delivers a threat intelligence platform designed for zero-day malware protection. The TIP blocks unknown and high-risk file types, scripts and other data by extracting pieces of files, analyzing them and conducting data analysis across hundreds of behavioral characteristics.
- Incorporates machine learning
- Uses a multi-layered approach to increase threat detection
- Highly automated
- Strong integration with SIEMs and other tools
- Large user base of 35,000+ delivers excellent shared intelligence
- Expensive compared to other platforms.
- Can be difficult to set up, and it’s not easily customizable
- Some users complain about the lack of customer support
The vendor pulls and classifies data from “billions of entities” across languages and geographies to map relationships and spot threats. It combines advanced analytics and machine learning to discover, categorize and deliver real-time threat intelligence. Recorded Future also relies on a team of human analysts to guide data models and provide direction.
- Delivers robust and extensive data collection capabilities and security intelligence
- Highly flexible with different modules designed for specific needs and risks
- Excellent interface
- Strong search capabilities, including the ability to set up automated queries
- Supports numerous types of threat intelligence, including brand, SecOps, threats, vulnerabilities, geopolitical and third party
- Licensing model can be complex and expensive if a company uses multiple modules
- Some users complain that the API is not as mature and robust as they would like
- May require considerable training to use all the various features and capabilities
See more: Managed Security Services Provider Releases Integrated Cybersecurity Platform
Comparison Table of Threat Intelligence Platforms