Reviewed By: Matthew Hreben & Michael Diehl
The Anomali Threat Platform automates the identification of serious attacks targeting organizations, prioritizes threats based on their severity and confidence, and provides context to understand and respond to the threat. Anomali offers this platform not only as an on-premises solution but also as Software as a Service (Saas), which is the model of choice for most customers.
The platform consists of two components: ThreatStream and Integrator (formerly ThreatStream Link). ThreatStream offers more than 120 open-source feeds and more than 30 premium feeds, many with free trial options before purchasing. If an organization already subscribes to one of these premium feeds (e.g., CrowdStrike, VirusTotal, FireEye), it is easy to log in and provide a license key. Anomali will then start ingesting new threat intelligence within minutes.
Security teams can install Anamoli ThreateStream Integrator as a binary or MSI load within Windows Server OS and UNIX x64 environments to share platform intelligence with existing security technologies. In fact, there are 22 integrations pre-built with major SIEM, FW, endpoint and other similar technologies. Additional integrations are being added on a monthly basis, and if one does not exist, it's possible to build a custom destination.
Once data is received and processed, threat intelligence can be distributed to several channels within an organization to share the intelligence feeds and allow the device to get more out of the most up-to-date information available. Analysts logging into the threat platform will find a fully customizable dashboard (which has undergone a facelift since last year) that gives a quick summary of the details on emerging threats. All widgets across multiple dashboards - whether IP addresses, web domains, email domains or even hashes - are interactive, offering the ability to drill down and quickly find relevant data.
In short, the dashboard provides everything needed to begin an investigation, - a built-in utility tool that allows analysts to create a case based on an indicator. The investigation can then be assigned to a workgroup or an individual or shared within a trusted circle. Notable investigations can be expanded throughout the entire Anomali community to external companies or industry-minded Information Sharing & Analysis Centers (ISACs), a growing number of which use Anomali's platform.
In our testing, we witnessed detailed descriptions about threat actors and focused on removing false positives and prioritizing key indicators. Confidence is determined by a machine learning algorithm and is scored. For instance, 100 percent means Anomali is 100 percent confident, while scores from individual researchers are displayed below that figure for comparison since every company has different data vectors. The solution conveniently offers phishing email components to work alongside existing email gateways to protect end users from spam or phishing emails. The tool works with Diamond, STIX/TAXII and kill chain formatting to export or import information into other tools.
Help is built into this threat intelligence platform, with access to training videos, a large knowledge base, and the ability to roam through Anomali University. The company also offers a customer-only support portal and a customer forum for interaction with existing customers and sharing experiences.