An introduction to threat intelligence platforms in the enterprise

Expert Ed Tittel describes how threat intelligence platforms work to help in the proactive defense of enterprise networks.

A threat intelligence service gathers raw data about existing or emerging threats and threat actors from several sources, and then analyzes and filters that data to produce useable information in the form of management reports and data feeds for automated security control systems. Its primary purpose is to help organizations understand the risks of and better protect against zero-day threats, advanced persistent threats and exploits, especially those most likely to affect their specific environments.

Learning about relevant threats as soon as possible gives organizations the best chance to proactively block security holes and take other actions to prevent data losses, breaches or system failures.

Threat intelligence service models

Threat intelligence service companies are relative newcomers to the security industry, so there are still a lot of differences among the types of services each vendor delivers.

Some such services simply provide data feeds that have been cleansed of most false positives. The most common for-a-fee services provide aggregated and correlated data feeds (usually two or more), as well as customized alerts and warnings specific to a customer's risk landscape. Another type of threat intelligence service handles data aggregation and correlation; incorporates information automatically into security devices (firewalls, security information and event management, etc.); and provides industry-specific threat assessments and security consulting.

Each type of threat intelligence platform is sold on a subscription basis, usually at two or three capability levels, and is delivered via a cloud platform. Several companies offer managed services for delivery across on-premises systems.

Threat intelligence platforms can dramatically improve the efficiency of security staff in proactively blocking security incidents.

Because subscription costs tend to run moderately high to very expensive, and because of the equipment needed for on-premises deployment, threat intelligence platforms are currently geared mainly toward larger midmarket organizations and enterprises. As the cloud continues to move down market, however, threat intelligence tools are bound to do likewise.

The history of threat intelligence platforms

Threat intelligence platforms came into being mainly because of the plethora of data available, whether generated internally or acquired from external feeds, on current and emerging IT security threats. It takes considerable time, effort and expertise to sift through the data and transform it into information that's pertinent to an organization, however.

Security companies, such as Symantec, that make it their business to track threats and provide frequent updates to their antivirus products, have maintained global threat databases for years,  populated from software agents running on millions of client computers and other devices. Such data, along with feeds from other sources, is the foundation for the information provided by a threat intelligence tool.

A look inside threat intelligence service data

Data from various threat intelligence sources differs in quality and structure, and must be validated. Validating data involves human and machine analysis for processing, sorting and interpreting.

Apparent threats are also correlated against the entire pool of threat data to identify patterns that indicate suspicious or malicious activity, and are also linked to technical indicators for categorization purposes. Finally, the data is converted into contextual information that provides insights about the tactics and behavior patterns of emerging or advanced threats and threat actors.

In the end, the threat information that's usable and actionable must be accurate, timely, relevant to the customer, align with the customer's security strategies and be easily incorporated into existing security systems.

Characteristic features of threat intelligence platforms

Now that we've addressed the purposes and benefits of threat intelligence, let's look at the most common features found in these kinds of services.

  • Data feeds: Many types of data feeds are available through threat intelligence platforms. Examples include IP addresses, malicious domains/URLs, phishing URLs, malware hashes and many more. A vendor's threat intelligence feeds should draw data from its own global database, as well as from open source data, information from industry groups and so on, to produce a pool of data that is both broad and deep.
  • Alerts and reports: Most services provide real-time alerts, along with daily, weekly, monthly and quarterly threat reports. Intelligence may include information about specific types of malware, emerging threats, and threat actors and their motives.

Security analysts or IT security staff members are needed to manage data feed information. The data is either incorporated into proprietary equipment (typically from the same vendor that provides the feed), or the information may be available in standard file formats, such as XML, CSV, STIX or JSON, for use in a variety of security management tools and platforms.

Depending on the level of information in the data feeds, staff might need specialized training from the vendor.

Some companies offer managed security services that offload most of the administrative burden associated with a proactive security approach. A managed service may include experts that provide threat intelligence reports, monitor an organization's assets 24/7 and provide threat mitigation and incident response.

The cost of threat intelligence platforms varies as much as the services themselves. Data feeds alone can cost thousands of dollars per month, and related expenses include the costs of maintaining a 24/7 security operations center staffed with technicians and analysts. By way of comparison, managed security services are typically tens of thousands of dollars per month, easily running into six or seven figures per year for larger environments.

As with most things in business, the least expensive services require more human time and effort on the customer side.

Because threat intelligence services vary widely, a key challenge in selecting such a service is knowing what the organization needs (how the information will be used) and having the right staff in place to use that service appropriately. 

Next Steps

Read up on how threat intelligence can benefit enterprise security

Discover how threat intelligence feeds help to prioritize signals from internal systems against unknown threats

This was last published in April 2017

Dig Deeper on Risk management