ThreatStream's OPTIC is a cyberthreat intelligence platform that manages the lifecycle of threat intelligence via integration across an enterprise's security infrastructure. It's a SaaS-based platform that users access via a web-based portal. Adding OpticLink, a software package that can be optionally installed on customers' premises, automates the process to operationalize risk-scored and actionable threat intelligence into the existing security infrastructure.
ThreatStream has a lot of neat functionality beyond the obvious benefits of a direct intelligence-to-infrastructure connection. For example, partners can create connectors that are provided through ThreatStream's Alliance Preferred Partner (APP) store. The organization pioneered the use of the modern honeynet network.
AT A GLANCE
Product ThreatStream Optic Platform
Price Starts at $50,000.
What it does Acts as the middle of the overall threat-managed security in an enterprise. It collects threat intelligence and uses it to manage security devices on the enterprise.
OpticLink goes on devices on which users want to take advantage of intelligence feeds from ThreatStream. The architecture is interesting in that it constitutes a set of connectors that can consume intelligence data from a number of suppliers. Also, it can apply its analytics to devices, also from a number of suppliers. The intelligence platform tracks about four million indicators and it uses 50 factors to determine the applicability of an indicator to the user's infrastructure.
ThreatStream does not stop with IPs or malware, either. There is a significant threat analysis capability that reaches past malware to such things as ops from organizations such as Anonymous. Deep dives into IPs that are spreading APTs are available with the click of a mouse and users can drill down for lots of detail.
Sometimes, threats are of a sort that is particularly applicable to an organization because of who they are, what they do or the business or government sector in which they operate. In that case it is convenient to track certain types of threat intelligence on an ongoing basis and, perhaps, share that with others in the organization. ThreatStream has a tool called TIP - Threat Intelligence Package - for that. You can create your own TIP and share it with trusted circles.
For example, you might be part of an Information Sharing and Analysis Center (ISAC) and want to share your TIP with other members since it might apply to all. You can classify your TIP as public, private or trusted circles. In the example, you would likely restrict your dissemination to your ISAC trusted circle. Further, as in many similar products, ThreatStream has a powerful sandbox. We were impressed by the level of detail its sandbox produces. Finally, there are more than 100 threat streams available out of the box, but you can add your own feeds. ThreatStream will do the connection so you can be sure that everything matches your platform. Reporting is comprehensive and you have sole control over what is in the reports.
OUR BOTTOM LINE
This is a solid integration of lots of threat sources and enterprise security tools. It takes threat intelligence and uses it to configure, manage and alert - using such industry standard systems as Splunk, ArcSight and others. The founder of ThreatStream came from ArcSight so there is a solid history behind this two year-old company.
We liked the comprehensive nature of the offering and, especially, the creative approach to marrying up threat intelligence sources and the tools used to manage the security posture of the enterprise.
So, for this one, our bottom line is that this is a worthwhile system to explore. While it runs pretty much on its own steam, so to speak, keeping new threat streams feeding into it requires some dedication from analysts and security engineers. The only downside for a tool that sets itself as the meat in the sandwich between intelligence sources and security management tools is ensuring that you are keeping the platform current.
When the threatscape changes as rapidly as what we are used to seeing today, having ThreatStream is a first-rate proactive defense. However, in such a changing environment it would be a mistake to "set and forget."