What Are They?
Threat intelligence is an emerging commercial search that provides a security operations team with the ability to ingest threat feeds from multiple sources.
What Do They Do?
Once “ingested” these solutions can then correlate different threat intelligence sources against each other. This “matching process” was provide a security team with greater assurance that a threat is valid, and also extended a threat intelligence with additional vectors.
The Challenge
This is supposed to be “the year of threat intelligence” but many organizations are frustrated that they cannot turn this valuable source of data into trusted actionable intelligence. Many threat feeds provide limited information as to why they have been marked as potentially dangerous. Given that one of the key mantras for the security industry is “Trust but verify”, many security teams are worried about blindly trusting that an IP address or URL is bad, just because somebody else thinks it is.
Leveraging
Some companies are looking to leverage these systems to create new automated response capabilities and when this is not possible create consolidated intelligence reports that threat assessment teams can quickly review and determine the right approaches.
The Benefits
By correlating one threat intelligence against another, a security organization can gain greater insight and confidence around a threat notification. This means that the threat feed elements (threat artifacts?) could be trusted more since they have been corroborated.
The Maturity of the marketplace
For the past couple of years there has been the traditional tussle of “build vs buy”. The builders were worried that the systems that were being promoted to support this work were black boxes that meant that it was not possible to really mine the data. Other organizations didn’t have the resources or the business justification to build there own and the market wasn’t mature enough. That has changed over the past year, and the number of vendors looking to build solutions are grown dramatically.
Who are the players in this market?
I’m not going to give an assessment of the individual vendors but there have been some early pure threat intelligence platform market place builders. Others are new and others are trying to evolve their platforms to become a threat intelligence platform. They include BAE, Palantir, Sqrrl, and Threat Connect, ThreatQuotient, and ThreatStream.
Should You Be Looking at Them
I would. There is an increasing pressure on security teams to be more proactive. No longer can we hide behind our traditional ways or walls and wait to detect the attackers once they have got in. We need to ensure that we are learning from what is happening outside, so that we can block the attacks before they even get a chance to get inside.