The rise of advanced persistent threats (APTs) and the large volumes of data involved in threat detection are making the job of security analysts harder every day. The work of an information security engineer often involves sifting manually through hundreds of security alerts to find real threats. The huge amounts of data collected by any given organization nowadays make it almost impossible for usually, understaffed security teams to keep on top of threats. While security teams use resources and software tools to overcome these challenges, often the new tools they wish to introduce don’t integrate easily into the existing software infrastructure of their organization.
A threat intelligence platform automates the processing and analysis of data from multiple feeds. This relieves staff overload by providing them with an effective means of analysis in real-time. Security teams can thus respond more quickly and accurately to threats.
In this post:
- What is a threat intelligence platform (TIP)
- The need for TIPs in cyber threat security
- Cyber threat intelligence platform capabilities
- Top TIPs vendors
- Threat intelligence integrated with a modern SIEM
What is a threat intelligence platform?
A threat intelligence platform (TIP) is a software solution that organizations use to detect, block, and eliminate information security threats. The platform combines multiple threat intelligence feeds, compares them with previous events, and generates alerts for the benefit of the security team. TIPs integrate with existing security information and event management (SIEM) solutions and assign value to the alerts while prioritizing alerts according to their level of urgency.
One advantage of the platform is that it lets security teams safely share threat intelligence with other relevant departments and external security experts. The system collects and analyzes threat data, coordinating the tactics and activities between the stakeholders.
When the security team detects a threat, they will involve all relevant departments in the investigation. Everyone with a stake in the security organization has responsibilities in the implementation of the incident response plan. TIPs come in handy when coordinating efforts at critical times for this reason.
The need for a threat intelligence platform in cyber threat security
Attackers can lurk inside a network for a long period before detection, so organizations need to look for solutions that can help them detect threats before they turn into attacks.
Threat intelligence helps organizations collect, compare, and analyze threat data in real-time, to detect and stop attackers before they cause damage. A recent survey of IT security officers by the Ponemon Institute found that 84% of respondents think threat intelligence should be a basic part of any strong security posture.
In traditional information security, security teams deal with very large volumes of threat data, which can be time-consuming and overwhelming. Security teams iteratively search through the alerts to distinguish real threats from false positives.
TIPs aggregate all the information from multiple sources. They enrich the information to determine the type and severity of the threat, automatically sifting through the threat alerts. Security teams can use the information to focus on urgent incidents.
Cyber threat intelligence platform capabilities
Threat intelligence platforms perform these three basic functions:
- Aggregation—funnels multiple threat intelligence feeds into a centralized feed.
- Analysis—curates data, using indicators to define and identify security threats.
- Action—shares relevant threat intelligence with incident response and defense teams.
The platform implements these key functions while automating the workflow throughout the security lifecycle. The steps involved in the threat intelligence security lifecycle are as follows:
Aggregates data from multiple feeds including, STIX, XML, JSON, OpenIOC. It is important to include data from internal sources such as network logs and external sources such as the open and the dark web. The deeper and better the feeds, the more effective the TIP.
The TIP automated process sorts the data, organizes it with metadata tags, and weeds out non-relevant or redundant information. It then compares the data with curated information, finding patterns and correlations to detect threats.
Context is key in threat intelligence. Without it, it is easy to confuse an anomaly with a threat while overlooking the real threats. At this stage, the TIP gives context to the sorted data to eliminate false positives, adding data such as IP location, network, and domain blocklists to provide security teams with as much information about the potential threat as possible.
4. Threat analysis
A TIP analyzes threat indicators in real-time, using the platform visibility features to see the relationship between data. Security analysts can use this information to detect hidden threats.
Threat intelligence platforms integrate with security tools the organization uses to maximize information flow. At this stage, the platform disseminates the collected and analyzed data to the relevant departments for processing.
If the platform detects a threat, it alerts the response team to start the incident response plan. The security cycle works in a loop, using the information from one cycle to the next.
An effective threat intelligence platform also processes responses. The automated analysis facilitates collaboration with response teams and shortens the response time in the event of an attack. Sophisticated TIPs collaborate with Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs), giving these communities the information they need to develop security tools and applications.
Top threat intelligence platforms
Below we briefly cover the four threat intelligence platforms identified as leaders in the Gartner Threat Intelligence Magic Quadrant for 2018.
Palo Alto Networks Autofocus
Network Autofocus is a hosted security service that delivers curated context from the Palo Alto Networks threat research team. The solution combines machine intelligence with statistical analysis, to aggregate and correlate threat intelligence from third-party sources. The platform automates workflows to identify, analyze, and respond to threats while allowing human intervention when needed.
A research and development company, it develops and markets cybersecurity software and services, such as firewalls, anti-virus, intrusion prevention and endpoint security. It boasts a threat intelligence and research organization called FortiGuard Labs that analyzes security events around the world, mapping the threat landscape.
The research team maintains an integrated threat intelligence ecosystem. It uses proprietary artificial intelligence (AI) and machine learning systems (ML) to gather and analyze billions of security events daily, feeding the Fortinet platform with relevant information to protect the organization systems from threats.
Talos is Cisco’s threat intelligence security expert team, providing detection research, threat intelligence, engine development and vulnerability research. It creates threat intelligence for all Cisco products developing the underlying technology on an array of products including endpoint security, threat response, and next-generation firewalls.
CheckPoint offers a managed security service called ThreatCloud, providing fully-managed monitoring service 24×7 with real-time access to alerts via a web dashboard and across devices. The offering provides two levels of service. The first is a Monitoring and Alert service, which provides automated lPS log analysis, with the premium level boasting the services of an analyst reviewing the alerts. The second level involves a fully-managed Threat Prevention service, featuring anti-bot and antivirus and even remote management of the device.
Limitations of a threat intelligence platform
Organizations deploying a threat intelligence platform may find themselves overloaded if the volume of data is too high. If you have data coming from multiple independent intelligence sources, you need to process the context of this data to effectively filter alerts. This process can be automated with the use of machine learning.
While TIPs work by identifying indicators of compromise (IOC), they focus on the tactics, techniques and procedures (TTP) to detect threats. A modern SIEM provides the baselining of classified examples to extract the information necessary to train itself to classify additional data.
Sifting through alerts without relevant context can result in an overload of alerts. Therefore, the addition of SIEM enables the threat intelligence platform to add sequence and logic to identify threats.
Threat intelligence integrated with a modern SIEM
When organizations integrate an existing security information and event Management (SIEM) system with a threat intelligence platform, they can prioritize alerts, adding value to their SIEM.
A SIEM correlates logs, using user and entity behavior analysis to identify threats and send alerts. While it is effective, it can generate too many alerts, resulting in alert fatigue.
Modern SIEM platforms have built-in threat intelligence capabilities that can enhance the accuracy and effectiveness of your cybersecurity defense. Some of the key features present in SIEM include:
- User and entity behavior analytics (UEBA)—the platform leverages behavioral analytics to detect behavior anomalies that may result in an attack. It correlates the data giving it context, effectively identifies if the threat is real, and determines its level of severity.
- Security orchestration automation and response (SOAR)—an organization can use this solution to automate the collection of data and response to low-level security events. SOAR identifies incidents, compares them with existing threat intelligence data, and follows up with mitigation activities. With automation in place, analysts have more time to focus on high-level, complex threats.
Exabeam Threat Intelligence Service is a cloud-based solution with proprietary threat intelligence technology. The system collects and analyzes threat indicators from multiple feeds. The service is free for Exabeam customers as part of the Exabeam Security Management Platform and can also integrate with TIP vendors for a broader source of IOCs.
Threat Intelligence Service collects indicators of compromise (IoC) by sifting through alerts using machine algorithms to remove false positives and ranking each indicator. A dashboard provides real-time visibility into security threats and malicious hosts.
Security analysts have a native threat intelligence feed using SIEM, UEBA, and SOAR capabilities integrated on the same security management platform. The user interface creates incident timelines for each IoC, aggregating all the relevant contexts related to it.
This combination of accuracy and solutions integration led Gartner to identify Exabeam as a market leader for SIEM in the 2018 Gartner SIEM Magic Quadrant. Companies looking for a threat intelligence platform that integrates behavior analytics and response automation capabilities can find in Exabeam Threat Intelligence Service, a pre-configured solution they can rely on.