The term ‘threat intelligence’ is a popular one in today’s security market where nearly every offering seems to come with a side of threat intelligence.
The most valuable threat intelligence offerings uncover data you don’t already have in a form your organization can make quick use of. With so many vendors staking claims in this market, it’s important for organizations to dig deep before picking a threat intelligence product they will use internally.
Definitions of threat intelligence vary widely depending on the source, but the product itself tends to have the following characteristics:
- It’s a data-only product – not a combination of security offerings and inputs. While a firewall consumes threat data that can help generate blocking rules, if the data can’t be separated from your firewall, it’s not a threat intelligence offering.
- It’s used to analyze and share threat intelligence data only. Neither enterprise consoles with alerting and reporting nor intrusion-detection systems should be considered threat intelligence products.
- The user must be able to act on the data as needed. It can be used, for example, to decide which IP addresses to monitor. Or it can be used in conjunction with forensic software to figure out whether a breach has actually occurred and what else you need to be looking for.
- Threat intelligence must include data you don’t already have. Monitoring a network and generating alerts doesn’t qualify, and simply figuring out that you’ve been breached is not threat intelligence. But getting external data that tells who may have attacked you and their probable purpose – that’s threat intelligence.
Threat intelligence products are designed to take inputs from your existing security products and export data to other security products. They are normally complementary to what an organization already has.
Many threat intelligence vendors aggregate and resell one another’s feeds.
VirusTotal’s data, for example, is a popular input to numerous threat intelligence offerings. But with so many open source threat intelligence feeds out there, it’s important for your organization to do its homework. What one vendor is selling might simply be white-labeled from another. If you’re not careful, you can end up buying the same data multiple times.
Players in the Threat Intelligence Space
Nearly every large security vendor now uses ‘threat intelligence’ to enrich its products and services. Here are some vendor offerings that meet the 451 Research definition of threat intelligence:
- Threat intelligence feeds – Well-known players in this area include iSIGHT Partners, Cyveillance, Verisign iDefense, IID, FireEye, Webroot, Anubis Networks, Norse Corporation, Farsight Security, AlienVault, ThreatConnect, CrowdStrike, ThreatTrack, Symantec and Malcovery.
- Threat intelligence data references – These vendors make data accessible for querying and reporting through their central consoles. They also accept uploaded malware or logs from customers and match them with their own intelligence. Vendors in this area include ThreatGRID (acquired by Cisco), ThreatStream, Lookingglass and Seculert, as well as many of the vendors listed above.
- Threat intelligence research and reporting – Some vendors offer boutique threat intelligence services. For example, Dell SecureWorks researches threats to specific company brands or executives; ZeroFOX monitors customer social media assets; and Bitsight Technologies evaluates the security risk to a customer from its partners.
When evaluating different threat intelligence offerings, the first step is to figure out what kinds of decisions your organization needs to make and how threat intelligence can help you make them. Always think in terms of those decisions, because if you can’t use the data to support your organization’s internal decision-making, then the intelligence you receive won’t prove actionable no matter how good it may be.