Threat Intelligence Platform (TIP): Rise of Advanced Persistent Threats (APTs) and the massive amounts of information involved in the detection of threats make the role of security analysts more complicated day in and day out. An information security engineer’s job mostly manually includes screening for real threats across literally dozens of security notifications. Nowadays, the immense amounts of data accumulated by any particular enterprise make it almost impossible for underresourced security teams to actually compete with threats. Threat intelligence platforms (TIPs) automate the processing and analysis of data from multiple feeds.
While security teams use resources and software tools to overcome these challenges, often the new tools they wish to introduce don’t integrate easily into the existing software infrastructure of their organization. This relieves staff overload by providing them with an effective means of analysis in real-time. Security teams can thus respond more quickly and accurately to threats.
Table Of Contents
- What Is A Threat Intelligence Platform (TIP)?
- The Need For A Threat Intelligence Platform (TIPs) During Cyber Threat Security
- Cyber Threat Intelligence Platform Capabilities
- Top Four Threat Intelligence Platforms (TIPs)
- Limitations Of A Threat Intelligence Platform
- Threat Intelligence Integrated With A Modern SIEM
What Is A Threat Intelligence Platform (TIP)?
A threat intelligence platform (TIP) is a software solution that organizations use to detect, block, and eliminate information security threats. The platform combines multiple threat intelligence feeds, compares them with previous events and generates alerts for the benefit of the security team. TIPs integrate with existing security information and event management (SIEM) solutions and assign value to the alerts while prioritizing alerts according to their level of urgency.
One advantage of the platform is that it lets security teams safely share threat intelligence with other relevant departments and external security experts. The system collects and analyzes threat data, coordinating the tactics and activities between the stakeholders.
When the security team detects a threat, they will involve all relevant departments in the investigation. Everyone with a stake in the security organization has responsibilities in the implementation of the incident response plan. TIPs come in handy when coordinating efforts at critical times for this reason.
The Need For A Threat Intelligence Platform (TIPs) During Cyber Threat Security
Attackers can lurk inside a network for a long period before detection, so organizations need to look for solutions that can help them detect threats before they turn into attacks.
Threat intelligence helps organizations collect, compare, and analyze threat data in real-time, to detect and stop attackers before they cause damage. A recent survey of IT security officers by the Ponemon Institute found that 84% of respondents think threat intelligence should be a basic part of any strong security posture.
In traditional information security, security teams deal with very large volumes of threat data, which can be time-consuming and overwhelming. Security teams iteratively search through the alerts to distinguish real threats from false positives.
TIPs aggregate all the information from multiple sources. They enrich the information to determine the type and severity of the threat, automatically sifting through the threat alerts. Security teams can use the information to focus on urgent incidents.
Cyber Threat Intelligence Platform Capabilities
Threat intelligence platforms perform these three basic functions:
- Aggregation – Funnels multiple threat intelligence feeds into a centralized feed.
- Analysis – Curates data, using indicators to define and identify security threats.
- Action – Share relevant threat intelligence with incident response and defense teams.
The platform implements these key functions while automating the workflow throughout the security lifecycle. The steps involved in the threat intelligence, security lifecycle are as follows:
Aggregate data from multiple feeds including, STIX, XML, JSON, OpenIOC. It is important to include data from internal sources such as network logs and external sources such as the open and the dark web. The deeper and better the feeds, the more effective the TIP.
The TIP automated process sorts the data, organizes it with metadata tags, and weeds out non-relevant or redundant information. It then compares the data with curated information, finding patterns and correlations to detect threats.
Context is key in threat intelligence. Without it, it is easy to confuse an anomaly with a threat while overlooking the real threats. At this stage, the TIP gives context to the sorted data to eliminate false positives, adding data such as IP location, network and domain blocklists provide security teams with as much information about the potential threat as possible.
4. Threat Analysis
A TIP analyzes threat indicators in real-time, using the platform visibility features to see the relationship between data. Security analysts can use this information to detect hidden threats.
Threat intelligence platforms integrate with security tools the organization uses to maximize information flow. At this stage, the platform disseminates the collected and analyzed data to the relevant departments for processing.
If the platform detects a threat, it alerts the response team to start the incident response plan. The security cycle works in a loop, using the information from one cycle to the next.
An effective threat intelligence platform also processes responses. The automated analysis facilitates collaboration with the response team and shortens the response time in the event of an attack. Sophisticated TIPs collaborate with Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs), giving these communities the information they need to develop security tools and applications.
Top Four Threat Intelligence Platforms (TIPs)
Below we briefly cover the four threat intelligence platforms identified as leaders in the Gartner Threat Intelligence Magic Quadrant for 2018.
Palo Alto Networks Autofocus
Network Autofocus is a hosted security service that delivers curated context from the Palo Alto Networks threat research team. The solution combines machine intelligence with statistical analysis, to aggregate and correlate threat intelligence from third-party sources. The platform automates workflows to identify, analyze, and respond to threats while allowing human intervention when needed.
A research and innovation corporation, it develops and markets, applications and services for cybersecurity like those of endpoint security, intrusion prevention, anti-virus and firewalls. It boasts a threat intelligence and research organization called FortiGuard Labs that analyzes security events around the world, mapping the threat landscape.
The research team maintains an integrated threat intelligence ecosystem. It uses proprietary artificial intelligence (AI) and machine learning systems (ML) to gather and analyze billions of security events daily, feeding the Fortinet platform with relevant information to protect the organization systems from threats.
Talos is Cisco’s threat intelligence, security expert team, providing detection research, threat intelligence, engine development and vulnerability research. It creates threat intelligence for all Cisco products, developing the underlying technology on an array of products including endpoint security, threat response, and next-generation firewalls.
CheckPoint offers a managed security service called ThreatCloud, providing fully managed monitoring service 24×7 with real-time access to alerts via a web dashboard and across devices. The offering provides two levels of service. The first is a Monitoring and Alert service, which provides automated lPS log analysis, with the premium level boasting the services of an analyst reviewing the alerts.
The second level involves a fully managed Threat Prevention service, featuring anti-bot and antivirus and even remote management of the device.
Limitations Of A Threat Intelligence Platform
Organizations deploying a threat intelligence platform may find themselves overloaded if the volume of data is too high. If you have data coming from multiple independent intelligence sources, you need to process the context of this data to effectively filter alerts. This process can be automated with the use of machine learning.
While TIPs work by identifying indicators of compromise (IOC), they focus on the tactics, techniques and procedures (TTP) for threat detection. A modern SIEM provides the baseline of classified examples to extract the information necessary to train itself to classify additional data.
Sifting through alerts without relevant context can result in an overload of alerts. Therefore, the addition of SIEM enables the threat intelligence platform to add sequence and logic to identify threats.
Threat Intelligence Integrated With A Modern SIEM
When organizations integrate an existing security information and event Management (SIEM) system with a threat intelligence platform, they can prioritize alerts, adding value to their SIEM.
A SIEM correlates logs, using user and entity behavior analysis to identify threats and send alerts. While it is effective, it can generate too many alerts, resulting in alert fatigue.
Modern SIEM platforms have built-in threat intelligence capabilities that can enhance the accuracy and effectiveness of your cybersecurity defense. Some of the key features present in SIEM include:
- User And Entity Behavior Analytics (UEBA) – The platform leverages behavioral analytics to detect behavior anomalies that may result in an attack. It correlates the data, giving it context, effectively identifies if the threat is real and determines its level of severity.
- Security Orchestration Automation And Response (SOAR) – An organization can use this solution to automate the collection of data and response to low-level security events. SOAR identifies incidents, compares them with existing threat intelligence data, and follows up with mitigation activities. With automation in place, analysts have more time to focus on high-level, complex threats.
Threat Intelligence Service is a cloud-based solution with proprietary threat intelligence technology. The system collects and analyzes threat indicators from multiple feeds.
Threat Intelligence Service collects indicators of compromise (IoC) by sifting through alerts using machine algorithms to remove false positives and ranking each indicator. A dashboard provides real-time visibility into security threats and malicious hosts.
Security analysts have a native threat intelligence feed using SIEM, UEBA, and SOAR capabilities integrated in the same security management platform. The user interface creates incident timelines for each IoC, aggregating all the relevant contexts related to it.