Focusing on threat intelligence solutions this month, the team observed three primary solution categories – threat intelligence providers, platforms and gateways. These three classes all provide threat intelligence to an organization, though each type takes a different approach when packaging the information.
Threat intelligence providers are essentially what their name implies – security organizations that actively produce and provide threat intelligence feeds. The organizations typically use human activity and artificial intelligence to help harvest information from both open and closed sources. They then deliver the information through a premium feed (usually available at an extra cost), prepackaged software, or another method such as emails or reports.
Providers offer the main source of information in the threat intelligence world and are vital to the success of any threat intelligence program. Often, they maintain teams of researchers or investigators who actively hunt threats to help make the internet a safer place for everyone. The firms share the information that is discovered during these activities.
The threat intelligence platform is what most commonly comes to mind when most security professionals consider the threat intelligence space. These software solutions are developed to ingest multiple feeds – typically both open and premium — pass them through their artificial intelligence mechanisms and output a threat intelligence “feed” to be consumed by the user via a GUI.
The platforms often incorporate features such as structural formatting, real-time alerting, custom reporting and third-party integrations. Integrations are usually built into the platform and can vary from SIEM solutions to firewalls to endpoint protection tools. Most platforms also offer APIs to integrate the platform with other technologies for which the connectors are not yet built. The APIs can be leveraged to pull data into a platform or export processed results outward, with most platforms supporting STIX and TAXII records, as well as a few other staples.
While the platform approach is certainly impressive, a few companies have taken a different tack and offer threat intelligence gateways. These products sit between an edge device and an internet router and allow you to process the threat intelligence to take immediate action. The devices are very similar to existing firewalls in that policies are triggered to drop any traffic that meets certain conditions. As a result, you can block traffic based on your threat intelligence prior to it getting to your firewall. This process could potentially take the load from your next-gen firewall and allow it to focus on other security functions.
While more information can be better, organizations typically hit a roadblock and quickly realize that too much information, without context or follow-up, can be a nightmare. Even too much general information, without a designated and proper plan, can quickly overwhelm a team of unprepared analysts. That can quickly discourage any security team, hindering any traction toward applying threat intelligence findings, as the team starts focusing on less noisy security tools.
So how it is possible to break this cycle? If the first responses that come to mind are platitudes like “to increase our security posture,” it is time to re-envision what intelligence means and what value it holds for an organization. Security teams must first plan around the core objectives of an appropriate threat intelligence program. With a proper business vision in mind – for example, to reduce risk by “X“ percent by the end of each quarter – the security officer can track the execution of a program initiative and determine the risks most important to an organization, focusing on indicators of compromise that if mitigated will most reduce your organizational risk.
The tools reviewed this month appear somewhat similar to one another, although different enough to make it completely reasonable to use more than one of them to increase effectiveness. Any of the solutions will help members of a security team determine the information relevant to their organizations so that they can take appropriate actions to apply it and, indeed, improve security posture.
Picks of the Litter
This month SC Labs had the chance to look at some amazing threat intelligence tools. Recorded Future is integrated with most products we looked at, and with good reason. The company continues to show leadership in the space, earning our top spot as an SC Lab Approved solution. Anomali showcased a great threat intelligence platform at an amazing price, making it our SC Labs Best Buy. Iris Investigation Platform by DomainTools provides a unique look at the internet and threats associated in cyberspace. DomainTools offers intelligence that can’t be found anywhere else. Iris Investigation Platform earned its place as SC Labs Recommended.
For a quick link to this month’s reviews click the headline below.
Click on the image below to view the Product Matrix.